b'    August 26, 2005\n\n\n\n\nInformation Technology\nManagement\n\nReport in Defense Business\nManagement System Controls Placed in\nOperation and Tests of Operating\nEffectiveness for the Period\nOctober 1, 2004 through May 15, 2005\n(D-2005-104)\n\n\n\n\n             Department of Defense\n            Office of Inspector General\n Quality              Integrity       Accountability\n\x0c                              INSPECTOR GENERAL\n                            DEPARTMENT OF DEFENSE\n                               400 ARMY NAVY DRIVE\n                          ARLINGTON, VIRGINIA 22202-4704\n\n\n\n                                                                           August 26,2005\n\nMEMORANDUM FOR THE OFFICE OF THE UNDER SECRETARY OF DEFENSE\n                            (C0MPTROLLER)JCHEF FINANCIAL OFFICER\n                          DIRECTOR, DEFENSE FINANCE AND ACCOZTNTMG\n                            SERVICE\n                          DIRECTOR, DEFENSE INFORMATION SYSTEMS\n                            AGENCY\n\n\nSUBJECT: Report an Defense Business Management System Controls Placed in\n         Operation and Tests of Operating Effectiveness for the Period October 1,\n         2004 through May 15,2005 (Report No. D-2005- 104)\n\n\n       We are providing this report for your information and use. No written response to\nthis report is required. Therefore, we are publishing this report in final fom.\n\n       We appreciate the courtesies extended to the staff. Questions should be directed\nto Mr. Michael Perkins at (703) 325-3557 (DSN 22 1-3557) or Donna Roberts at (703)\n428-1070 (DSN 328-1070).\n\n                                By direction of the Deputy Inspector Generat for Auditing:\n\n                                 f                   aM\n                               f i r aul J. Granetto, CPA\n                                                                    d\n                                Assistant Inspector General\n                                Defense Financial Auditing\n                                          Service\n\x0cTable of Contents\n   Foreword\n\n   Section I\n       Independent Service Auditor\xe2\x80\x99s Report ..............................................................1\n\n   Section II\n       Description of the Defense Business Management System Operations and\n        Controls Provided by the Defense Finance and Accounting Service ............7\n\n   Section III\n       Control Objectives, Control Activities, and Service Auditor\xe2\x80\x99s Tests of\n        Operating Effectiveness ...............................................................................19\n\n   Section IV\n         Supplemental Information Provided by the Defense Finance and Accounting\n          Service and the Defense Information System Agency ................................81\n\n   Acronyms and Abbreviations ....................................................................85\n\n   Report Distribution .......................................................................................87\n\x0cForeword\nThis report is intended for the use of the Defense Finance Accounting Service (DFAS)\nand Defense Information System Agency (DISA) management, its user organizations,\nand the independent auditors of its user organizations. Department of Defense personnel\nwho manage and use the Defense Business Management System (DBMS) will also find\nthis report of interest as it contains information about DBMS application controls.\n\nThe Department of Defense Office of the Inspector General (DoD OIG) is implementing\na long-range strategy to conduct audits of DoD financial statements. The Chief\nFinancial Officer\xe2\x80\x99s Act of 1990 (P.L. 101-576), as amended, mandates that agencies\nprepare and conduct audits of financial statements. The reliability of information in\nDBMS directly affect DoD\xe2\x80\x99s ability to produce reliable, and ultimately auditable,\nfinancial statements, which is key to achieving the goals of the Chief Financial Officer\xe2\x80\x99s\nAct.\n\nDBMS is a legacy general ledger financial management system implemented at DFAS-\nColumbus, Ohio in 1969. DBMS has been modified significantly since 1969 with the\naddition of modules and subsystems to support: cost accounting, military personnel\ncosting, funds appropriation, and reimbursable receivables. It provides support to\nvarious DoD agencies. Due to a recent migration, DBMS mid-tier servers and\nmainframe have been moved to DISA Systems Management Center-Ogden, Utah as of\nFebruary 2005.\n\nThis audit assessed controls over the DBMS processing of transactions at DFAS and\nDISA. This report provides an opinion on the fairness of presentation, the adequacy of\ndesign, and the operating effectiveness of key controls that are relevant to audits of user\norganization financial statements. As a result, this audit precludes the need for multiple\naudits of DBMS controls previously performed by user organizations to plan or conduct\nfinancial statement and performance audits. This audit will also provide, in a separate\naudit report, recommendations to management for correction of identified control\ndeficiencies. Effective internal control is critical to achieving reliable information for\nall management reporting and decision making purposes.\n\x0cSection I: Independent Service Auditor\xe2\x80\x99s Report\n\n\n\n\n                       1\n\x0c\x0c                             INSPECTOR GENERAL\n                            DEPARTMENT OF DEFENSE\n                               400 ARMY NAVY DRIVE\n                          ARLINGTON, VIRGINIA 22202-4704\n\n\n                                                                          August 26,2005\n\nMEMORANDUM FOR THE OFFICE OF THE UNDER SECRETARY OF DEFENSE\n                 QCOMPTROLLER)/CHIEF FINANCIAL OFFICER\n               DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n                 SERVICE\n               DIRECTOR, DEFENSE NORMATION SYSTEMS\n                 AGENCY\n\nSUBJECT: Report on Defense Business Management System Controls Placed in\n         Operation and Tests of Operating EfFectiveness for the Period October 1 ,\n         2004 through May 15,2005\n\nWe have examined the accompanying description of the general computer and application\ncontrols related to the Defense Business Management System (DBMS)(Section .)JI The\nDBMS, including generat computer and application controls, is directly supported and\nmaintained by DFAS and DISA. Our examination included procedures to obtain\nreasonable assurance about whether (1) the accompanying description presents fairly, in\nall material respects, the aspects of the controls at DFAS and DISA that may be relevant\nto a DBMS user organization\'s internal controls as it relates to an audit af financial\nstatements; (2) the controls included in the description were suitably designed to achieve\nthe control objectives specified in the description, if those controls were complied with\nsatisfactorily, and user organizations applied the controls contemplated in the design of\ncontrols at DFAS and DISA; and (3) such controls had been placed in operation as of\nMay 15,2005.\n\nThe control objectives were specified by the DoD OTG and accepted by DFAS and DISA.\nOur examination was performed in accordance with standards established by the\nAmerican Institute of Certified Public Accountants and the standards applicable to\nfinancial audits contained in Government Auditing Standards, issued by the Comptroller\nenera1 of the United States, and included those procedures we considered necessary in\nthe circumstances to obtain a reasonable basis for rendering our opinion.\n\nIn our opinion, the accompanying description of the general computer and application\ncontrols at DFAS and DISA related to DBMS (Section II) presents fairly, in all material\nrespects, the relevant aspects of the controls at DFAS and DTSA that had been placed in\noperation as of May 15,2005, including the completed migration of the DBMS\napplication from DECC-Columbus to SMC-Ogden Febmary 2005. Also, in our opinion,\nthe controls, as described, were suitably designed to provide reasonable assurance that the\nspecified control objectives would be achieved if the described controls were complied\nwith satisfactorily and users applied those aspects of internal control contemplated in the\ndesign of the controlls at DFAS and DISA.\n\x0cIn addition to the procedures we considered necessary to render our opinion as expressed\nin the previous paragraph, we applied tests to specific controls, listed in Section III, to\nobtain evidence about their effectiveness in meeting the related control objectives\ndescribed in Section III during the period October 1, 2004 to May 15, 2005. The specific\ncontrol objectives, controls, and the nature, timing, extent, and results of the tests are\nlisted in Section III. This information has been provided to DBMS user organizations\nand their auditors for consideration when making assessments of control.\n\nA number of controls in place to ensure compliance with DoD information assurance\npolicies, including DoDI 8500.2 and Defense Information Technology Security\nCertification and Accreditation Process (DITSCAP) appear to be suitably designed, but\nour tests of operating effectiveness indicated inconsistencies in adherence to these\npolicies. As discussed in Section III, Control Objectives, Control Activities, and Service\nAuditor\xe2\x80\x99s Tests of Operating Effectiveness, we identified deficiencies relating to the\noperating effectiveness of controls in operation for the period October 1, 2004 to May 15,\n2005.\n\nIn performing our examination, we found DFAS did not have policies and procedures in\nplace for performing periodic recertification of user access to DBMS. Also, maintenance\nof access request forms and worksheet documents was inconsistent, resulting in separated\nemployees maintaining access to the application. We also found that DFAS did not have\npolicies and procedures that detailed the retention and review of DBMS access and audit\nlogs.\n\nTests of operating effectiveness for general controls identified primary deficiencies in\naccess and system software controls. Specifically:\n\n   \xe2\x80\xa2   DECC-Columbus did not have policies and procedures requiring privileged users\n       to only use privileged access to perform their functions. For example, Systems\n       Administrators were not required to have a separate or additional logon to\n       perform their non-privileged functions. Other than the supervisor, there was no\n       one at DECC-Columbus responsible for tracking privileged role assignments.\n       When an employee changed jobs within DECC-Columbus, there was no check to\n       ensure the access level was adjusted to reflect current requirements.\n   \xe2\x80\xa2   DECC-Columbus did not adhere to the DoD Security Technical Implementation\n       Guide (STIG) for Resource Access Control Facility (RACF). Specifically, testing\n       revealed there was no written standard identifying needed access. This prevented\n       system administrators from restricting access based on position description, least\n       privilege, and separation of duties.\n   \xe2\x80\xa2   SMC-Ogden did not adhere to the Oracle STIG. Specifically, user privileges\n       were not periodically reviewed, non-administrator accounts were granted\n       excessive privileges, and password parameters did not comply with DoD\n       requirements.\n\n\n\n\n                                             4\n\x0cTests of operating effectiveness for application controls identified primary deficiencies in\nauthorization, completeness, and change controls. Specifically:\n\n   \xe2\x80\xa2   DFAS did not have authorization controls in place to verify that supervisors\n       properly assigned function codes to promote separation of duties. In addition,\n       password configurations restricting access to DBMS did not comply with DoD\n       length, complexity, re-use, and encryption requirements. The minimum and\n       maximum password change period was not specified.\n   \xe2\x80\xa2   Applications interfacing with DBMS sent data in clear text via File Transfer\n       Protocol (FTP) that was not secured by encryption. In addition, the interface\n       control for SRD-1 required a header and trailer for DBMS to accept the\n       transaction file. However, on three separate tests, the transaction file was\n       accepted each time without the trailer.\n   \xe2\x80\xa2   The documented change control process for DBMS did not reflect existing change\n       control processes being followed. DFAS did not have documentation supporting\n       changes (normal and emergency), changes did not have appropriate signatures,\n       and test plans and results were not in the change package.\n   \xe2\x80\xa2   DFAS did not have Information Assurance (IA) roles specified in writing.\n\nAs a result of these deficiencies, the controls for DBMS did not provide reasonable\nassurance that the following control objectives were fully achieved during the period of\nOctober 1, 2004 to May 15, 2005:\n\n   \xe2\x80\xa2   \xe2\x80\x9cResource owners have identified authorized users and their access authorized,\xe2\x80\x9d\n       (Control Activity AC-2.1)\n   \xe2\x80\xa2   \xe2\x80\x9cAdequate logical access controls have been implemented. Logical controls over\n       data files and software programs,\xe2\x80\x9d (Control Activity AC-3.1a)\n   \xe2\x80\xa2   \xe2\x80\x9cAdequate logical access controls have been implemented. Logical controls over\n       a database,\xe2\x80\x9d (Control Activity AC-3.2c)\n   \xe2\x80\xa2   \xe2\x80\x9cAccess authorizations are appropriately limited,\xe2\x80\x9d (Control Activity SS-1.1)\n   \xe2\x80\xa2   Policies and techniques have been implemented for using and monitoring use of\n       system utilities,\xe2\x80\x9d (Control Activity SS-2.1)\n   \xe2\x80\xa2   \xe2\x80\x9cInappropriate or unusual activity is investigated and appropriate actions taken,\xe2\x80\x9d\n       (Control Activity SS-2.2)\n   \xe2\x80\xa2   \xe2\x80\x9cAuthorizations for software modifications are documented and maintained,\xe2\x80\x9d\n       (Control Activity CC-1.2)\n   \xe2\x80\xa2   \xe2\x80\x9cEmergency changes are promptly tested and approved,\xe2\x80\x9d (Control Activity CC-\n       2.2)\n   \xe2\x80\xa2   \xe2\x80\x9cData entry terminals are secured and restricted to authorized users,\xe2\x80\x9d (Control\n       Activity AN-2.1)\n   \xe2\x80\xa2   \xe2\x80\x9cUsers are limited in what transactions they can enter,\xe2\x80\x9d (Control Activity AN-2.2)\n\n\n\n\n                                             5\n\x0c        "Reconciliations show the completeness of data processed at points in the\n        processing cycle," (Control Activity CP-2.1)\n        "Reconciliations show the completeness of data processed for the total cycle,"\n        (Control Activity CP-2.2) and\n        "Rejected transactions are controlled with an automated emr suspense file."\n        (Control Activity AY -3.1 $\nIn our opinion, except for the matters listed in the preceding paragraphs, the controls that\nwere tested, as described in Section III, were operating with suficient effectiveness to\nprovide reasonable, but not absolute, assurance that the control objectives sgeci fied in\nSection JI\n         lwere achieved during the period from October 1,2004 to May 15,2005.\nHowever, the scope of our engagement did not include tests to determine whether control\nobjectives not listed in Section IEE were achieved; accordingly, we express no opinion on\nthe achievement of control objectives not listed in Section m[.\n\nThe relative effectiveness and significance of specific controls at DFAS and DISA and\ntheir effect on assessments of control risk at user organizations are dependent on their\ninteraction with the controls and other factors present at individual user organizations.\nWe performed no procedures to evaluate \'the effectiveness of internaI controls at\nindividual user organizations.\n\nThe description of controls at DFAS and DISA is as of May 15,2005, and the\ninformation about tests of the operating effectiveness of specific contr~lscovers the\nperiod from October I , 2004 to May 15, 2005. Any projection of such information to the\nfuture is subject to the risk that, because of change, the description may no longer portray\nthe controls in existence. The potential effectiveness of specific controls at DFAS and\nDISA is subject to inherent limitations and, accordingly, ersors or fraud may occur and\nnot be detected. Furthermore, the projection of any conclusions, based on our findings, to\nfuture periods is subject to the risk that (1 1changes made to the system or controls, ( 2 )\nchanges in processing requirements, or (3) changes required because of the passage of\ntime may alter the validity of such conclusions.\n\nThis report is intended solely for use by management o f DFAS and DISA, the DBMS\nuser organizations, and the independent auditors of such user organizations.\n\n\n\n                                By direction of the Deputy Inspector General for Auditing:\n\n\n\n                                Assistant hspector General\n                                Defense Financial Auditing\n                                            Service\n\x0cSection II: Description of Defense Business Management System\n Operations and Controls Provided by the Defense Finance and\n                       Accounting Service\n\n\n\n\n                              7\n\x0c\x0cII. Description of Defense Business Management System\n    Operations and Controls Provided by the Defense Finance\n    and Accounting Service\n\nA. Overview of DBMS\nSystem Overview\n\nDBMS was developed in incremental parts beginning with the Payroll Subsystem in\n1969 and Personnel Subsystem in 1972. The Resource Administration Subsystem\n(RAS) was added in 1975 to support business areas such as Cost Accounting,\nManagerial Reporting, Military Personnel Costing, and Performance Productivity. The\nAppropriation Accounting Subsystem (AAS) was added in 1986 to provide a uniform,\nautomated system of accounting for appropriated funds with major components of this\nsubsystem being funds control, appropriation record maintenance, job order accounting,\nand financial reporting. Finally, the Automated Billing System (ABS) was added in\n1998 to provide a centralized point of input for data needed to record and manage work\nrequests received from customers via the reimbursable order process. After DoD\nselected DCPS for Payroll and Defense Civilian Personnel Data System for Personnel,\nthe DBMS Payroll and Personnel Subsystems were eliminated. Both were\ndecommissioned before 2000.\n\nSystem Capabilities\n\nDBMS is currently a logical partition (LPAR) on a Z890-A-04 mainframe at SMC-\nOgden. It is subdivided into 17 production copies of the DBMS SUPRA database with\none test database. The 17 copies support approximately 4,720 customers in the Defense\nAgencies Accounting Business Line spread across 60 sites. Each production database is\nmanaged separately; however, some customers manage multiple databases. The\nbreakdown is presented below:\n\n\n                                                               Number of\n                                Customer\n                                                               Databases\n                  Defense Commissary Agency                          3\n                  Defense Contract Audit Agency                      1\n                  Defense Contract Management Agency                 1\n                  Defense Finance and Accounting Service             2\n                  (Residual Data)\n                  Defense Logistics Agency                           8\n                  Navy                                               2\n\n\n\n\n                                           9\n\x0cAs established by the Service Level Agreement (SLA) between DISA and DFAS, each\ndatabase copy is permitted to remain online for processing only during a prescribed\nwindow. At all other times, the databases are taken offline for batch processing and\nmaintenance purposes, prohibiting user access.\n\nEach subsystem includes the following functions:\n\n   \xc2\x83   RAS\n\n          o Labor Processing \xe2\x80\x93 Obtains payroll and personnel data from interfacing\n            systems that provide estimated hours and dollars for civilian employees.\n\n          o Organizational Management \xe2\x80\x93 Establishes controls that impose\n            hierarchical relationships between the Agency, Activity, and Office\n            structures and between the Agency Basic Cost Accounts, Tasks, and\n            Work Units.\n\n          o Operational Cost \xe2\x80\x93 Labor dollar and hour adjustments received from\n            interfacing systems update labor dollar and hour figures in RAS.\n\n          o Military Personnel/Manpower \xe2\x80\x93 Maintains current military personnel\n            records and tracks related costs.\n\n          o Performance \xe2\x80\x93 Measures work performance and work effectiveness,\n            reporting on how efficiently labor is being used.\n\n          o Online Processing \xe2\x80\x93 Access to RAS is through the online, real-time\n            SUPRA database environment.\n\n   \xc2\x83   AAS\n\n          o Funds Control \xe2\x80\x93 Establishes quarterly operating target records as the\n            primary method of controlling available funds.\n\n          o General Ledger Maintenance \xe2\x80\x93 Records the receipt of funds,\n            commitments, obligations, expenses, disbursements, and customer orders\n            accepted; and updates the applicable general ledger records online.\n\n          o Appropriation Record Maintenance \xe2\x80\x93 Maintains historical records for all\n            transactions that affect the status and utilization of funds.\n\n          o Job Order Accounting \xe2\x80\x93 Allows for the establishment of job orders to\n            accumulate costs pertinent to the accomplishment of specific work\n            assignments.\n\n\n\n\n                                          10\n\x0c           Financial Reporting \xe2\x80\x93 Prepares various financial reports and listings to\n           provide data for use by local management and for submission to DFAS-\n           Headquarters, including data utilized for analysis and reconciliation of\n           accounts.\n\n   \xc2\x83   ABS\n\n           o Reimbursable Receivables \xe2\x80\x93 Central point of input and automatic\n             interface of work counts produced in support of Reimbursable\n             Receivables.\n\n           o Funds Control \xe2\x80\x93 Controls all work orders, service orders, and work\n             requests received from federal agencies.\n\n           o Excess Earnings \xe2\x80\x93 Accounts for the automatic release of suspended\n             excess earnings as additional funds provided by the customer.\n\nSystem Architecture\n\nDBMS has a two-tiered architecture comprised of:\n\n   \xe2\x80\xa2   Mid-tier and mainframe (hardware and software) components, and\n\n   \xe2\x80\xa2   Remote user/print spooler hardware and software (online viewing, printing, and\n       downloading).\n\nThe mid-tier and mainframe components are used as a repository for the collection and\naccumulation of accounting, billing, labor, and non-labor data. Their primary function is\nto provide centralized, daily processing of general ledger and cost reports.\n\nThe remote user/print spooler hardware and software are used primarily for online report\nviewing, printing of mainframe-generated outputs, and downloading financial\ninformation. These components are largely customer-owned and operated. They\ninclude personal computers, local area networks, a diverse assortment of printers, and\nthe software that operates and connects them. Customers have access to \xe2\x80\x9cReport.Web\xe2\x80\x9d\nsoftware, which is utilized for viewing, printing, and downloading reports which are\nproduced during nightly batch cycles.\n\nDBMS recently completed a migration where the mid-tier and mainframe servers were\nmoved from DECC-Columbus to SMC-Ogden, as part of the larger DISA transformation\nstrategy currently underway. The DBMS mid-tier server was moved to SMC-Ogden in\nMay 2004, and the mainframe server was moved in February 2005.\n\nABS is hosted on the mid-tier utilizing an Oracle database. One of its primary functions\nprovides an automatic interface and central point of input for all transactions relating to\nreimbursable receivable documents. All of the policies guiding the configuration of the\ndatabase, user account settings, and permissions are controlled by Terminal Area\n\n\n\n                                             11\n\x0cSecurity Officers (TASOs). Most of the settings were in place before the box was\nmoved from DECC-Columbus. The Oracle implementation is installed on a mid-tier\nmachine and runs on the UNIX operating system.\n\nThe technical components of the DBMS mainframe architecture include the following\nattributes:\n\n   \xe2\x80\xa2   The hardware supporting the application is housed on the Z890-A-04 mainframe\n       LPAR located at SMC-Ogden;\n\n   \xe2\x80\xa2   The operating system software is z/OS, Release 1.4;\n\n   \xe2\x80\xa2   DBMS is written in COBOL XT, COBOL, and MANTIS 4GL languages;\n\n   \xe2\x80\xa2   The mainframe is initially protected by IBM\xe2\x80\x99s Resource Access Control Facility\n       (RACF); and\n\n   \xe2\x80\xa2   Third-party software packages are used for process scheduling and monitoring\n       services.\n\nBoth SUPRA LPARs (development and test, and production) transitioned to SMC-\nOgden. SUPRA security is implemented through two external security packages:\nCINCOM ENTIRE controls security at the application level; and RACF controls\nsecurity at the operating system and dataset levels. The current mainframe operating\nsystem for the SUPRA Physical Data Manager database is z/OS, Release 1.4. There are\n17 databases, which are configured with the same security settings, passwords and\nlogons.\n\nThe two tiers of DBMS architecture are connected via DoD-maintained networks,\ncomprised of Internet Protocol-based (e.g., Non-Classified Internet Protocol Router\nNetwork) and Systems Network Architecture-based (leased line) services. These\nnetworks connect DBMS to a number of customer sites (mainframes, mid-tiers, and\npersonal computers) that supply or regularly exchange data with DBMS, mainly through\nelectronic file transfers. Examples of some external interface sites include DCPS, SRD-\n1, and BOSS.\n\nSystem Interfaces\n\nDBMS customers maintain their own financial management systems that indirectly\ninterface to DBMS in batch cycles via unencrypted FTP. Incoming files from\ninterfacing systems are first processed on a mid-tier platform. The mid-tier utilizes hard-\ncoded logic in the Liaison Activity Code Table (LACT) to route the incoming\ninformation to the appropriate DBMS SUPRA database copy. The information is routed\nif it contains a header and trailer attached by the sending system, signifying the\nbeginning and end of the interfacing file. After the information is routed, it is processed\nby DBMS and posted to the General Ledger. If information cannot be routed to a\n\n                                            12\n\x0cspecific database copy,\n\n\nDBMS sends the specific transaction and logs it to a report on the designated default\ndatabase for further research by the Accounting Operations Personnel. DFAS-Columbus\nAccounting Technicians manually corrects the transaction.\n\nReconciliations are performed by DFAS-Columbus; however, full reliance is placed on\nthe interfacing systems and customers to have rigorous controls in place that catch\nerroneous information, and missing or duplicate transactions in the batch before\ntransmitting to DBMS.\n\nThe most important interfaces include DCPS payroll data, SRD-1 Fund Balance with\nTreasury information, and BOSS retail stock fund/supply transactions.\n\nThe only direct interface to DBMS, bypassing the mid-tier, is a recently-added interface\nfor Defense Commissary Agency \xe2\x80\x93 Europe that sends foreign national pay data.\n\nSensitivity of Data Processed and System Criticality\n\nDBMS contains Sensitive but Unclassified financial information at the Mission\nAssurance Category (MAC) III level. Actual data elements contain technical, personnel,\nand financial data that require protection from unauthorized disclosure. The DBMS\nunclassified environment includes sensitive financial and controlled information that is\nexempt from mandatory release to the public under the Freedom of Information Act.\nThe DBMS environment includes files, when aggregated/integrated, increases the\nsensitivity level. To ensure adequate protection of data during FTP processes, DBMS\nincorporates a Virtual Private Network, when required.\n\nThe compromise or unauthorized disclosure of DBMS information would have an\nadverse impact and actively counter DFAS\xe2\x80\x99 mission, functions, image, or reputation.\nThe impact would place DFAS at a significant disadvantage, resulting in intense public\nscrutiny, loss of public trust, and the possible loss of significant tangible assets or\nresources. Potential overstatement or understatement of assets, liabilities or net position\nand significant effects on the completeness and existence of transaction information are\npossible. DBMS has a recovery window of 72 hours.\n\nCompromise or unauthorized disclosure of DBMS information is prevented through\nvarious logical access controls. Specifically, workstations are properly secured to\nprevent unauthorized access to the application. Users are authenticated with a unique\nuser identification (ID) and password. The application is only available during specified\nonline processing windows corresponding with normal business hours and disconnects\nafter a period of non-usage. Users have three successive failed logon attempts before the\naccount becomes locked and must be unlocked only by a TASO. Finally, access logs are\nproduced that track users logging in and out of the application. A List of Security\nViolations report tracks failed logins by user and details the reason, usually invalid user\npasswords or locked accounts.\n\n\n                                             13\n\x0cB. Control Environment\nThe DFAS-Headquarters, located in Arlington, Virginia, provides management control and\ncoordination within the DoD and has overall responsibility for interpretation and\napplication of DBMS through DFAS-Columbus Accounting Systems Program\nManagement Office.\n\nAdministration\n\nAdministration of DBMS includes manual operations and standard operating procedures\ndesigned to counter fraud, waste, and abuse, including separation of duties, which ensures\nthat work responsibilities are separated so that one individual does not control all critical\nstages of a process. Physical access to the system will be granted through a rigorous, well-\nestablished process conducted in accordance with DoD Directive 5200.2-R, \xe2\x80\x9cPersonnel\nSecurity Program\xe2\x80\x9d, and Code of Federal Regulations (Chapters 731, 732, and 736).\n\nPersonnel\n\nPersonnel are assigned security duties to enforce DFAS policies for the operation and\nprotection of DFAS automated information systems. These individuals are knowledgeable\nin the nature of the information and processes supported by the application and in the\nmanagement, personnel, operational, and technical controls used to protect the information.\nThe responsibility for implementation, acceptance, and maintenance of adequate automated\naccounting systems security is assigned to the following individuals:\n\n   \xe2\x80\xa2   The Program Manager is responsible for the overall development, delivery, and life\n       cycle maintenance of DBMS and for ensuring that all users have been properly\n       trained and are familiar with security policies and procedures before being granted\n       access.\n\n   \xe2\x80\xa2   The Designated Approving Authority is responsible for evaluating the level of risk\n       associated with operating DBMS and granting either an Interim Authority to\n       Operate or an Authority to Operate, if the risk is found to be acceptable.\n\n   \xe2\x80\xa2   The Information System Security Manager is responsible for enforcing all\n       applicable security policies and safeguards for all personnel with access to DBMS.\n       In addition, the Information System Security Manager evaluates known or\n       suspected vulnerabilities to ascertain if additional safeguards are needed.\n\n   \xe2\x80\xa2   The Certification Authority is responsible for developing and maintaining the\n       accreditation support documentation.\n\n   \xe2\x80\xa2   The Information System Security Officer (ISSO) is responsible for day-to-day\n       security administration and security management of DBMS.\n\n\n\n                                              14\n\x0c   \xe2\x80\xa2   The TASO is responsible for performing assigned security tasks as designated by the\n       ISSO, including resetting passwords, suspending or unsuspending accounts, and\n       acting as a general liaison from the user to the ISSO for access-related issues.\n\nC. Monitoring\nManagement and supervisory personnel at DFAS and DISA monitor the performance\nquality and internal control environment as a normal part of their activities. DFAS and\nDISA have implemented a number of management controls that help monitor access to\nthe DBMS application as well as the mainframe. The System Support Office at DFAS-\nColumbus coordinates access requests and forwards them to SMC-Ogden Security Office\nto be established in DBMS. Additionally, several application products are in place to\nmonitor systems access to the mainframe LPAR and to the DBMS online portion of the\napplication.\n\nThere are performance products on the DISA mainframe to monitor the performance of\nthe hardware and software to ensure the system is performing at maximum efficiency.\nDFAS and DISA are establishing additional techniques to monitor users\xe2\x80\x99 online access to\nDBMS, including a reading group on the online reporting system which allows Systems\narea personnel to review, correct, or update online system access.\n\nViolation Listings\n\nDBMS generates violation listings which provide a means of monitoring and correcting\nthe transactions that did not successfully process or interface into DBMS. Transactions\nattempting to interface into DBMS must meet the established edit, validations, and\ncompatibility criteria before DBMS records and accounts are updated. Transactions that\nfail to meet these criteria are rejected and appear on violation listings. These violations\nor rejects all have messages identifying the reason for the rejection.\n\nDBMS also generates violation follow-up listings that contain transactions that have not\nbeen cleared by the Accounting Department or the DBMS customer. These violation\nfollow-up listings are generated on a daily basis and transactions remain on the listings\nwith the original error message until corrective action is taken.\n\nDITSCAP Certification and Accreditation\n\nDoD Directive 5200.40, DITSCAP, issued December 30, 1997, and DoD 8510.1-M,\n\xe2\x80\x9cDITSCAP Application Manual,\xe2\x80\x9d issued July 31, 2000, established the DITSCAP as the\nstandard DoD certification and accreditation process. Certification is the comprehensive\nevaluation of the technical and non-technical security features of an information system\nand other safeguards made in support of the accreditation process to establish the extent\nto which a particular design and implementation adheres to specified security\nrequirements. Accreditation is the formal declaration by a Designated Approving\nAuthority that an information system is approved to operate in a particular security mode\nusing a prescribed set of safeguards at an acceptable level of risk. DITSCAP establishes\n\n\n                                             15\n\x0ca standard process, set of activities, general tasks, and a management structure to certify\nand accredit an information system that will maintain the information assurance and\nsecurity posture of the Defense Information Infrastructure. This process supports an\ninfrastructure-centric approach with a focus on the mission, environment, and\narchitecture.\n\nDBMS must comply with all of the DITSCAP certification and accreditation\nrequirements throughout its life cycle and document the requirements in the SSAA. The\nSSAA is a formal agreement with the Designated Approving Authority, the Certifier,\nuser representative, and program manager employed to guide actions, document\ndecisions, specify information assurance requirements, document certification tailoring\nand level-of-effort, identify potential solutions, and maintain operational systems\nsecurity. SSAAs were prepared for the DBMS application and the supporting operating\nenvironment.\n\nDepartment of Defense, Office of Inspector General\n\nThe DoD OIG was established by Congress to conduct and supervise audits and\ninvestigations related to DoD programs and operations. The DoD OIG reports directly to\nthe Secretary of Defense and is independent of DFAS and DISA. DBMS, as well as the\nbusiness processes it supports, is part of the DoD OIG audit universe and is subject to\nfinancial, operational, and information technology (IT) audits, reviews, and special\nassessment projects.\n\nOffice of the Inspector General, Defense Information Systems Agency\n\nDISA has its own Office of the Inspector General, which is an independent office within\nDISA that conducts internal audits, inspections, and investigations. The DISA-related\ncomponents that support DBMS are part of the DISA Office of the Inspector General\naudit universe and are subject to audits, inspections, and investigations conducted by the\nDISA OIG.\nD. Information and Communication\nInformation Systems\n\nDBMS is the mixed-function legacy information system serving as the core financial\nsystem for several Defense Agencies and the general ledger accounting system of record\nfor those agencies. DBMS indirectly interfaces with a host of financial feeder\napplications that reside at various DFAS centers, DFAS operating locations, or DISA\nDECCs through a mid-tier server via unencrypted FTP.\n\nCommunication\n\n\n\n\n                                             16\n\x0cThe support relationship between DFAS and DISA is documented through a SLA, which\noutlines various DFAS and DISA points of contact and liaisons that should be utilized\nwhen issues with DBMS arise.\n\nWithin DFAS, the Software Configuration Control Board is responsible for approving\nand controlling requested functional and systemic changes to DBMS. Through scheduled\nmeetings conducted by the Technical Program Manager, a review of the status of current\nreleases, new change requests, and targeted future release dates is discussed.\n\nE. Control Activities\nThe DBMS control objectives and related control activities provided by DFAS\nmanagement are included in Section III of this report, \xe2\x80\x9cControl Objectives, Control\nActivities, and Tests of Operating Effectiveness,\xe2\x80\x9d to eliminate the redundancy that would\nresult from listing them in this section and repeating them in Section III. Although the\ncontrol objectives and related controls are included in Section III, they are, nevertheless,\nan integral part of the DFAS description of controls.\n\nF. User Organization Control Considerations\nThe control activities at DFAS related to DBMS were designed with the assumption that\ncertain controls would be placed in operation at user organizations. The application of\nsuch controls by user organizations is necessary to achieve certain control objectives\nidentified in this report. This section describes some of the controls that should be in\noperation at user organizations to complement the controls at DFAS and DISA. The\nfollowing user organization control considerations are not a comprehensive list of all\ncontrols that user organizations should employ. Other controls may be required at\ncustomer organizations.\n\nUser organizations should have policies and procedures in place to provide reasonable\nassurance that:\n\n   \xe2\x80\xa2   Hard copy documents (e.g., purchase orders, training orders, and miscellaneous\n       obligation documents) are authorized, accurate, and complete before the user\n       enters them into DBMS for input and automated processing.\n\n   \xe2\x80\xa2   Authorized individuals input data into DBMS, enter it accurately and completely,\n       and seek approval from appropriate personnel.\n\n   \xe2\x80\xa2   Erroneous data are corrected and resubmitted in a timely manner.\n\n   \xe2\x80\xa2   The appropriate users review output for completeness and accuracy.\n\n   \xe2\x80\xa2   DBMS computer terminals, communication lines, and data outputs are protected\n       from unauthorized access.\n\n\n\n\n                                             17\n\x0c\xe2\x80\xa2   Passwords needed to access DBMS through computer terminals are protected\n    against unauthorized disclosure and misuse.\n\n\xe2\x80\xa2   DBMS\xe2\x80\x99 TASOs are notified in a timely manner when employees leave or transfer,\n    which supports the TASOs ability to cancel system access authority for those\n    individuals.\n\n\n\n\n                                      18\n\x0cSection III: Control Objectives, Control Activities, and Tests of\n                    Operating Effectiveness\n\n\n\n\n                               19\n\x0c\x0cIII. Control Objectives, Control Activities, and Tests of\n     Operating Effectiveness\nA. Scope Limitations\nDFAS and DISA specified the control objectives documented in this section. As\ndescribed in the prior section (Section II), DBMS interfaces with many systems. The\ncontrols and tests described in this section of the report are limited to those computer\nsystems, operations, and processes directly related to DBMS. Controls related to the\nsource and destination systems associated with the DBMS interfaces are specifically\nexcluded from this review. We did not perform procedures to evaluate the effectiveness\nof the input, processing, and output controls in these interfacing systems, although we did\nperform procedures to evaluate DBMS\xe2\x80\x99 interface input and output controls.\n\n\n\n\n                                            21\n\x0cControl Objectives, Control Activities, and Service Auditor\xe2\x80\x99s Tests of Operating Effectiveness\nAccess Control (AC)\n\nControls provide reasonable assurance that computer resources (data files, application program, system software and computer related\nfacilities, and equipment) are protected against unauthorized modification, disclosure, loss, or impairment.\n\nControl Activity:\nAC-1.1 Resource classifications and related criteria have been established.\nAC-1.2 Owners have classified resources.\n\nControl Description                             Tests of Operating Effectiveness             Results of Tests of Operating Effectiveness\nDISA                                            DISA                                         DISA\nSecurity Technical Implementation Guide         Inquired security personnel about the        No relevant exceptions were noted.\n(STIG) Implementation is at MAC III Sensitive   criteria used to classify resources.\nLevel.\n                                                Inspected the DISA Computing Services\nThe DISA networks are being protected to        Security Handbook, DoDI 8500.2, site\nMAC III level, while the enclaves are being     security plan, and SLA for DISA and\nprotected to the highest MAC level operating    DFAS to determine that appropriate\nwithin the enclave or sub-enclave. The Non-     resource classifications were established.\nsecure Internet Protocol Router Networks are\nbeing protected at Sensitive Confidentiality\nLevel.\n\nCustomers identify the MAC and\nConfidentiality level for their applications.\n\n\n\n                                                                 22\n\x0cControl Activity\nAC-2.1: Resource owners have identified authorized users and their access authorized.\n\nControl Description                             Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\nDISA                                            DISA                                        DISA\nThe DISA Computing Services Security            Inspected the DISA Computing Services       A list of individuals who can approve access\nHandbook details granting access to system      Security Handbook for the process used      was not maintained for SMC-Ogden.\nresources.                                      to grant access.\n                                                                                            DECC-Columbus:\nDECC-Columbus users who have access to the      Inspected the user list and employee list\nmainframe and mid-tier servers where the        to confirm that all users were on the       \xe2\x80\xa2   Did not track privileged role\napplication resides have completed DD Form      employee list.                                  assignments.\n2875.                                                                                       \xe2\x80\xa2   Allowed inactive accounts to remain\n                                                Inspected DD Form 2875 for users with           enabled for 180 days before they are\n                                                access to the mainframe.                        reviewed.\n                                                                                            \xe2\x80\xa2   Did not disable access for 13 of 45\n                                                                                                separated users.\n\nControl Activity:\nAC-3.1a: Adequate physical security controls have been implemented. Physical safeguards have been established that are\ncommensurate with the risks of physical damage or access.\n\nControl Description                             Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\nDISA                                            DISA                                        DISA\nDISA facilities are located on military or      Toured and inspected the physical layout    DECC-Columbus did not have access\nGeneral Services Administration installations   and environmental controls present in the   request forms for individuals to gain physical\nwith controlled access and controlled           DECC-Columbus and SMC-Ogden data            access to the data center.\nperimeter. Where Computing Services             centers.\n\n                                                                23\n\x0cControl Description                                 Tests of Operating Effectiveness             Results of Tests of Operating Effectiveness\nfacilities are not located on military or General                                                DECC-Columbus had not performed a\nServices Administration installations,              Inspected that sensitive areas are marked    facility penetration test of the data center.\nComputing Services facilities are enclosed          as restricted.\nwith a fence that provides vehicle and\npedestrian access controls. Local military,         Inspected the risk assessment for both\nDoD, or General Services Administration             DECC-Columbus and SMC-Ogden data\npolice perform routine patrol and random door       centers to determine if threats had been\nchecks. Each site has an agreement with local       identified.\npolice organization to perform security checks.\nIn some cases, local police organizations have      Inspected the process for gaining access\nagreed to perform annual penetration testing;       to DECC-Columbus and SMC-Ogden\nhowever, not all local police organizations are     data centers.\nequipped to perform penetration tests.\n                                                    Inquired if management reviewed access\nThe computer facility has:                          to the DECC-Columbus and SMC-Ogden\n                                                    data centers on a periodic basis.\n   \xe2\x80\xa2   True floor to ceiling walls;\n   \xe2\x80\xa2   Solid entrance doors;                        Inquired if a facility penetration testing\n   \xe2\x80\xa2   Doors with hinges that prevent easy          procedure was in place at DECC-\n       removal;                                     Columbus and SMC-Ogden.\n   \xe2\x80\xa2   Emergency doors free of devices on the\n       outside and equipped with a panic bar\n       release on the inside and a \xc2\xbd inch\n       deadbolt throw;\n   \xe2\x80\xa2   Doors with Balanced Magnetic\n       Switches;\n   \xe2\x80\xa2   Entrance doors with three-position\n       combination lock for classified areas;\n       and\n                                                                     24\n\x0cControl Description                                Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\n  \xe2\x80\xa2 Intrusion Detection System for volume\n      within the area for those facilities or\n      areas processing classified information.\n\nAll intrusion detection system alarms remotely\nto an external element that can dispatch a\nresponse team.\n\nControl Activity:\nAC-3.1b: Adequate physical security controls have been implemented. Visitors are controlled.\n\nControl Description                                Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\nDISA                                               DISA                                        DISA\nAll Computing Services personnel who do not        Inspected procedures for handling           Adequate training was not provided to\nhave the appropriate security investigation or     visitors at the DECC-Columbus and           DECC-Columbus data center personnel to\nclearance will be escorted at all times while in   SMC-Ogden data centers.                     increase their awareness of visitor policies\nthe computing facility.                                                                        for the data center.\n                                                   Inquired on procedures to control visitor\nAll non-Computing Services personnel will be       access to the data centers through a log\nescorted at all times while in the computing       book.\nfacility.\n                                                   Inspected policies for changing access\n                                                   codes to the data centers\xe2\x80\x99 cipher locks.\n\n\n\n\n                                                                    25\n\x0cControl Activity:\nAC-3.2a: Adequate logical access controls have been implemented. Passwords, tokens, or other devices are used to identify\nand authenticate users.\n\nControl Description                              Tests of Operating Effectiveness             Results of Tests of Operating Effectiveness\nDISA                                             DISA                                         DISA\nPassword configuration requirements:             Inspected policies and procedures for        DECC-Columbus only required three\n                                                 password parameters.                         characters to be changed when updating user\n   \xe2\x80\xa2 Minimum of 8 characters,                                                                 account passwords.\n   \xe2\x80\xa2 One lower-case character,                   Inquired whether authentication required\n   \xe2\x80\xa2 One upper-case character,                   symmetric keys.\n   \xe2\x80\xa2 One number, and\n   \xe2\x80\xa2 One special character.                      Inquired if authentication was\n                                                 accomplished using Public Key\nPasswords changed every 90 days.                 Infrastructure Class 3 or 4 certificates.\n\nPassword can only be changed once within 24      Inquired if concurrent logins was\nhours.                                           permitted.\n\nPassword cannot be reused for 10 cycles.        Inquired how DISA ensured commonly-\n                                                used names or easily-guessed passwords\nPassword cannot reuse any character more than were not used.\nonce.\n                                                Inquired if all contractors were identified\nPassword is individual authentication           by \xe2\x80\x98CTR\xe2\x80\x99 in their e-mail address.\nassociated with individual user identification.\n                                                Inquired if vendor-supplied passwords\nPasswords are encrypted in storage.             were removed from new systems during\n                                                installation.\n\n                                                                  26\n\x0cControl Description                              Tests of Operating Effectiveness           Results of Tests of Operating Effectiveness\n                                                 Inquired on policies and procedures for\n                                                 control of smart-cards or sophisticated\n                                                 access control devices.\n\n                                                 Inspected a network diagram that\n                                                 documented logical access points to the\n                                                 Local Area Network\n\nControl Activity:\nAC-3.2c: Adequate logical access controls have been implemented. Logical controls over data files and software programs.\n\nControl Description                              Tests of Operating Effectiveness           Results of Tests of Operating Effectiveness\nDISA                                             DISA                                       DISA\nThe mainframe access control application,        Inspected the RACF \xe2\x80\x98SETROPTS\xe2\x80\x99              DECC-Columbus did not comply with STIG\nRACF, protects the DBMS application and the      report.                                    for RACF. Testing of the RACF system\nsystem software it resides on through                                                       configuration settings revealed:\nidentification and authentication techniques.    Inspected the production \xe2\x80\x98SETROPTS\xe2\x80\x99\n                                                 report.                                    \xe2\x80\xa2   Erase-On-Scratch was not active for all\nRACF mainframe security software enforces                                                       sensitive datasets.\ndiscretionary access controls. Also, access to   Inspected production \xe2\x80\x98DSMON\xe2\x80\x99 reports.      \xe2\x80\xa2   Password options such as change interval\nshared and networked file systems outside the                                                   and history were not set to standard.\nmainframe environment is controlled through      Inquired if there was a policy requiring   \xe2\x80\xa2   No written standard existed to compare\ndiscretionary access controls enforced through   every \xe2\x80\x98applid\xe2\x80\x99 to use RACF to validate         which users can have access to SYSTEM\nnetwork access privileges.                       user IDs and passwords.                        SPECIAL, GROUP SPECIAL and\n                                                                                                SYSTEM AUDITOR.\nRACF is configured in accordance with the                                                   \xe2\x80\xa2   No standards existed to verify programs\nRACF STIG.                                                                                      in the Program Properties Table with a\n                                                                                                system key or allowed to bypass RACF\n                                                                                                validation were appropriate.\n\n                                                                 27\n\x0cControl Description   Tests of Operating Effectiveness   Results of Tests of Operating Effectiveness\n                                                         \xe2\x80\xa2 Five resource classes were not active and\n                                                            one resource class was active but\n                                                            contained rules that left system\n                                                            unprotected.\n                                                         \xe2\x80\xa2 The RACF Started Procedures table had\n                                                            duplicate, conflicting entries, and a\n                                                            coding error that made the last part of the\n                                                            table unusable.\n                                                         \xe2\x80\xa2 Some datasets were listed in the RACF\n                                                            \xe2\x80\x9cSelected Datasets Report\xe2\x80\x9d as either \xe2\x80\x9cnot\n                                                            found or not cataloged.\n                                                         \xe2\x80\xa2 Gaps in procedures for allocation of\n                                                            system datasets, populating them with\n                                                            programs, protecting them with RACF,\n                                                            and marking them Authorized Program\n                                                            Facility (APF)-authorized made it\n                                                            possible for unauthorized APF programs\n                                                            to be added to the system.\n                                                         \xe2\x80\xa2 RACF rules permitted any user to read or\n                                                            purge any print dataset on the print queue\n                                                            waiting to be printed.\n                                                         \xe2\x80\xa2 RACF\xe2\x80\x99s control of the ability to bypass\n                                                            standard labels on tape datasets was not\n                                                            active.\n                                                         \xe2\x80\xa2 The RACF Global Access Table\n                                                            permitted every user to have complete\n                                                            access to every dataset whose name\n                                                            begins \xe2\x80\x9cSYSOUT.\xe2\x80\x9d\nControl Activity:\n                                     28\n\x0cAC-3.2d: Adequate logical access controls have been implemented. Logical controls over a database.\n\nControl Description                               Tests of Operating Effectiveness             Results of Tests of Operating Effectiveness\nSUPRA                                             SUPRA                                        SUPRA\nSystem logging should be active to facilitate     Observed that SUPRA was logging              The \xe2\x80\x9cINTERFLM\xe2\x80\x9d database had universal\nproducing audit reports. The CINCOM vendor        information to two data sets.                access; having read access to certain SUPRA\nrecommends that system logging be activated.                                                   files (INTERFLM in particular) provided a\nThe system logging options \xe2\x80\x9cABNA\xe2\x80\x9d should          Inspected the SUPRA logging settings as      vehicle for updating the databases and\nbe used. This will record task sign-on to the     \xe2\x80\x9cANNA\xe2\x80\x9d A- All system sign-ons were           should have been limited by user access\ndatabase, before-images and after-images of       logged, N- did not log before images, N-     requirements.\nthe database records.                             did not log utilities, A-did not log after\n                                                  images.                                      Directory files were not protected in the\nSystem logs should be retained to facilitate                                                   RACF program resource class.\nproducing audit reports.                          Inquired if SUPRA logs were maintained\n                                                  and how they were used.\nDirectory files should be properly protected by\nexternal security software (e.g. ACF2, RACF,      Inspected the RACF security setting for\nTop Secret).                                      SUPRA.\n\nPhysical Data Manager system and task log         Inspected the Comprehensive Retrieval\nfiles should be properly protected by external    Results for five directory files.\nsecurity software (e.g. ACF2, RACF, Top\nSecret).                                          Inspected RACF for the Physical Data\n                                                  Manager system and task logs.\nThe SUPRA database files should have\nappropriate access control.                       Inspected the RACF security rules for\n                                                  user access to SUPRA datasets.\nThe SUPRA software installation and runtime\nlibraries should have appropriate access          Inspected a list of SUPRA software\ncontrol.                                          libraries.\n\n                                                                   29\n\x0cControl Description                                Tests of Operating Effectiveness         Results of Tests of Operating Effectiveness\n\nNon-database administrator (DBA) users are         Inquired about the RACF Customer\nallowed into directory maintenance facilities,     Information Control System (CICS)\nthen directory security should be enabled to       access rules.\ncontrol the types of access these users have in\nthe directory.                                     Inspected RACF CICS access rules.\n\nPasswords need to be vigorously protected in       Inspected the DBMS Audit MFCP LPAR\njob control language input source and in batch     RACF domain name server Rules and\njob output.                                        found that the three CICS transactions\n                                                   had read access.\nSensitive administrative authorities should be\nlimited to users with a legitimate business need Inspected the DBMS MFCP LPAR\nfor these authorities (for example, DBA should RACF SUPRA Programs file for security\nhave the only access to DIRM, etc.).             definitions of stand alone utilities.\n\nPowerful utilities and functions should be         Inquired who performed the security\nlimited to users with legitimate business need     administration for SUPRA.\nfor these capabilities (e.g. DBA, security\nadministrator).\n\nStand-alone utilities should be protected by the\nexternal security software (e.g. ACF2, RACF,\nTop Secret).\n\nSUPRA security administration functions\nshould be performed by the appropriate\npersonnel.\n\n                                                                  30\n\x0cControl Description                                Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\nOracle                                             Oracle                                      Oracle\nDatabase management systems and data               Inquired of Oracle DBA about the            Application user privilege assignment was\ndictionary controls have been implemented          security settings for the Oracle database   not reviewed periodically to ensure\nthat:                                              that supported DBMS.                        compliance with least privilege and\n                                                                                               documented policy.\n                                                   Inspected the Oracle STIG and compared\n\xe2\x80\xa2   restrict access to data files at the logical   the outputs of the Oracle STIG script to    The Oracle version 9.2.0.4.0 was not at the\n    data view, field, or field-value level;        the required settings in the Oracle STIG.   current patchset level, which was version\n\xe2\x80\xa2   control access to the data dictionary using                                                9.2.0.6.\n    security profiles and passwords;\n\xe2\x80\xa2   maintain audit trails that allow monitoring                                                The system tablespace was being used as the\n    of changes to the data dictionary; and                                                     default or temporary tablespace for four non-\n\xe2\x80\xa2   provide inquiry and update capabilities                                                    system accounts.\n    from application program functions,\n    interfacing database management systems                                                    Three non-DBA account(s) had been granted\n    or data dictionary facilities.                                                             Oracle default roles.\nUse of database management system utilities is                                                 Access to default replication accounts was\nlimited.                                                                                       not restricted to authorized DBAs.\nAccess and changes to database management                                                      The AUDIT_SYS_OPERATIONS parameter\nsystem software are controlled.                                                                was not set to TRUE.\nAccess to security profiles in the data                                                        The required minimum of two Oracle control\ndictionary and security tables in the database                                                 files were not configured and stored on\nmanagement system is limited.                                                                  separate physical disks.\n\n                                                                                               Database communications was not\n                                                                                               configured to use static Internet protocol port\n\n                                                                   31\n\x0cControl Description   Tests of Operating Effectiveness   Results of Tests of Operating Effectiveness\n                                                         assignments to remote database connections.\n\n                                                         The SQLNET.EXPIRE_TIME had not been\n                                                         set to a value greater than 0 to prevent\n                                                         inactive remote connections to the database.\n\n                                                         The SQL*Plus HOST command was not\n                                                         restricted to authorized users only.\n\n                                                         PUBLIC had been granted EXECUTE\n                                                         privileges to restricted.\n\n                                                         Unauthorized profiles had the password life\n                                                         time set to more than 90 days. The password\n                                                         life time should be set to 90 days or less for\n                                                         user accounts and 365 days for application\n                                                         batch processing accounts.\n\n                                                         Profiles were found with either\n                                                         PASSWORD_REUSE_MAX not set to 10 or\n                                                         more or PASSWORD_REUSE_TIME not\n                                                         set to 365 or more.\n\n                                                         The Password Verify Function was not\n                                                         specified.\n\n                                                         The default profile exceeded the allowed\n                                                         resource limit for Idle Time of 15 minutes.\n\n                                     32\n\x0cControl Description   Tests of Operating Effectiveness   Results of Tests of Operating Effectiveness\n                                                         The default profile did not have maximum\n                                                         failed logon attempts set to 3.\n\n                                                         The SQL92_SECURITY parameter was not\n                                                         set to TRUE.\n\n                                                         The RENAME object audit option was not\n                                                         specified on default. RENAME was not\n                                                         audited on application objects. The audit\n                                                         trail SYS.AUD$ was not being audited for\n                                                         update and delete by all users.\n\n                                                         The ORA_ENCRYPT_LOGIN was not set\n                                                         to TRUE to prevent remote login attempts\n                                                         with the password sent in clear text.\n\n                                                         All required events were not audited in\n                                                         Oracle.\n\n                                                         The RESOURCE_LIMIT initialization\n                                                         parameter was not set to TRUE.\n\n\n\n\n                                     33\n\x0cControl Activity:\nAC-4.1: Audit trails are maintained.\n\nControl Description                               Tests of Operating Effectiveness        Results of Tests of Operating Effectiveness\nDISA                                              DISA                                    DISA\nLogging includes:                                 Inspected the audit trail monitoring,   System audit records were not maintained\n                                                  analysis, and reporting processes.      for one year.\n\xe2\x80\xa2   Minimum unsuccessful attempts are logged\n    to access security files, and logons;         Inspected RACF logs.\n\xe2\x80\xa2   Minimum successful and unsuccessful\n    attempts to modify system controls; and       Inquired how long audit records were\n\xe2\x80\xa2   Records identify user ID, date, and time of   maintained.\n    event.\n\nAudit records are reviewed periodically.\n\nSuspected violations are subject to inquiry.\n\nSubstantiated violations are reported to\nInformation Assurance Manager, who directs\nrequired action.\n\nAudit records are retained for one year on an\nexternal storage device.\n\nAudit requirements are listed in each of the\nSTIGs.\n\n\n\n                                                                   34\n\x0cSystem Software (SS)\n\nControls provide reasonable assurance that changes to the existing systems software and implementation of new system software are\nauthorized, tested, approved, properly implemented, and documented.\n\nControl Activity:\nSS- 1.1 Access authorizations are appropriately limited.\n\nControl Description                                Tests of Operating Effectiveness           Results of Tests of Operating Effectiveness\nOS/390                                             OS/390                                     OS/390\nPolicies for restricting access to systems         Inspected output to determine who had      DECC-Columbus did not comply with the\nsoftware are detailed in the OS/390. These         update or greater access to parameter      STIG for OS/390. Testing of the OS/390\ndocuments establish guidelines for restricting     libraries.                                 operating system configuration revealed:\naccess to sensitive system datasets. The\nnetwork device control policy is detailed in the   Inquired on the change control process        \xe2\x80\xa2   Three datasets containing user ID and\nNetwork Infrastructure STIG, which outlines        for parameter libraries.                          passwords had a default access of\naccess restrictions to network devices, and also                                                     READ.\ndetails the secure configuration of network        Inquired who reviewed updates made to         \xe2\x80\xa2   One APF-authorized library could be\ndevices.                                           the production system parameter library.          updated by any RACF-defined user.\n                                                                                                 \xe2\x80\xa2   Written standards did not specify\n                                                   Inspected who had update or greater               contents of system libraries.\n                                                   access to procedure libraries.                    Specifically:\n                                                                                                        o No indication of what user\n                                                   Inquired what the change control process                 Supervisory Calls had been\n                                                   was for procedure libraries.                             authorized.\n                                                                                                        o No indication of what APF\n                                                                                                            libraries had been authorized.\n                                                                                                        o No indication of what\n                                                                                                            modifications to the Program\n                                                                                                            Properties Table had been\n                                                                   35\n\x0cControl Description                              Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\n                                                                                                           authorized.\n                                                                                                \xe2\x80\xa2 Implementation of changes by\n                                                                                                    DECC-Columbus with no formal and\n                                                                                                    supporting documentation of\n                                                                                                    approval of system software\n                                                                                                    modifications/changes made by\n                                                                                                    DECC-Mechanicsburg.\n\nHP-UNIX                                                                                      HP-UNIX\nPolicies and procedures for restricting access   HP-UNIX                                     FTP and telnet were enabled.\nto systems software exist and are up-to-date.    Inspected the procedures in the Security\n                                                 Features User\xe2\x80\x99s Guide for the HP-UNIX       Secure Shell was not at the current version.\n                                                 platform.\nAccess to system software is restricted to a\n                                                                                             System settings did not in comply with the\nlimited number of personnel, corresponding to\n                                                 Inspected the script results to determine   UNIX STIG.\njob responsibilities. Application programmers\n                                                 compliance with the UNIX STIG.\nand computer operators are specifically\nprohibited from accessing system software.\n\nThe HP-UNIX operating system is configured\nin accordance with the UNIX STIG.\n\n\n\n\n                                                                  36\n\x0cControl Activity:\nSS-2.1 Policies and techniques have been implemented for using and monitoring use of system utilities.\nSS-2.2 Inappropriate or unusual activity is investigated and appropriate actions taken.\n\nControl Description                               Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\nOS/390                                            OS/390                                      OS/390\nMainframe audit log policies are outlined in      Inspected the System Management             DECC-Columbus did not comply with the\nthe OS/390 STIG, Volume 1. The OS/390             Facility records selected for logging.      STIG for OS/390. Testing of the OS/390\nSTIG requires review of dataset access                                                        operating system configuration revealed:\nviolations, resource violations, and program      Inspected output for key Multiple Virtual\nuse violations on a daily basis and requires      Storage system libraries.                      \xe2\x80\xa2   Three datasets containing user ID and\nreview of the failed log-on attempts and                                                             passwords had a default access of\nsecurity privileges on a weekly/monthly basis.    Inspected output to determine which files          READ.\n                                                  were used to collect the system audit          \xe2\x80\xa2   One APF-authorized library could be\nThe OS/390 STIG requires the DECC-                trail.                                             updated by any RACF-defined user.\nColumbus to review the RACF global control                                                       \xe2\x80\xa2   Written standards did not specify\noptions at least quarterly to determine whether   Inquired if any user could modify the              contents of system libraries.\nany changes were authorized and necessary.        audit files.                                       Specifically:\n                                                                                                        o No indication of what user\n                                                                                                            Supervisory Calls had been\n                                                                                                            authorized.\n                                                                                                        o No indication of what APF\n                                                                                                            libraries had been authorized.\n                                                                                                        o No indication of what\n                                                                                                            modifications to the Program\n                                                                                                            Properties Table had been\n                                                                                                            authorized.\n                                                                                                 \xe2\x80\xa2   Implementation of changes by\n                                                                                                     DECC-Columbus with no formal and\n                                                                                                     supporting documentation of\n\n                                                                   37\n\x0cControl Description                              Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\n                                                                                                    approval of system software\n                                                                                                    modifications/changes made by\n                                                                                                    DECC-Mechanicsburg.\n\n                                                                                             SMC-Ogden had not implemented effective\n                                                                                             procedures for monitoring, controlling, and\n                                                                                             backing-up audit logs recording access to\n                                                                                             and use of system software and utilities.\n\nHP-UNIX                                          HP-UNIX                                     HP-UNIX\nThe operating system is configured to prevent    Inspected the script results to determine   No relevant exceptions were noted.\ncircumvention of the security software and       compliance with the UNIX STIG.\napplication controls and configured in\naccordance with the UNIX STIG.\n\nSecurity Planning (SP)\n\nIn order to assess the application controls of DBMS, an understanding of the application\xe2\x80\x99s business purpose and financial impact, as\nwell as its processing environment, should be obtained. DFAS should develop a tailored security plan that is in compliance with\nDITSCAP. DBMS should undergo the certification and accreditation process in accordance with DITSCAP.\n\nControl Activity:\nSP-1 Periodically assess risks.\n\nControl Description                              Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\nDISA                                             DISA                                        DISA\nPeriodic evaluations and annual reviews are      Inspected risk management policies,         The risk assessment for DECC-Columbus\nconducted to determine risk.                     DISA Instruction 630-125-6                  was not performed every three years.\n\n                                                                  38\n\x0cControl Description                           Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\n                                              \xe2\x80\x9cManagement Control Program\xe2\x80\x9d and\nA formal risk assessment is developed and     \xe2\x80\x9cResidual Risk in DoD\xe2\x80\x9d Accreditation\nconducted once every 3 years. Formal risk     issued by FSO.\nassessments are updated annually based on\nannual reviews.                               Inspected the risk assessments for\n                                              DECC-Columbus and SMC-Ogden.\n\nControl Activity:\nSP-1 System documentation for DBMS application exists and is current.\n\nControl Description                           Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\nDFAS                                          DFAS                                        DFAS\nDBMS technical documentation exists and is    Inspected the SSAA for DBMS to              No relevant exceptions were noted.\ncurrent.                                      determine appropriateness in relation to\n                                              the current control environment.\n\n                                              Inquired of management regarding the\n                                              current operating environment and\n                                              current versions of the operating system,\n                                              database, and security software.\n\nControl Activity:\nSP-2 An application and general support security plan exists and covers the appropriate sections as defined by federal\nregulations and agency requirements.\n\nControl Description                           Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\nDISA                                          DISA                                        DISA\nSecurity plan developed for each site.        Inspected the site security plans.          Site security plan did not contain Rules of\n                                                                                          Behavior and OS/390 Security Features User\n\n                                                              39\n\x0cControl Description                                 Tests of Operating Effectiveness             Results of Tests of Operating Effectiveness\n                                                                                                 Guide.\n\nDFAS                                                DFAS                                         DFAS\nDFAS has documented and finalized a DBMS            Inspected the security plan to ensure that   In the DBMS security plan, the appointed\nsecurity plan that contains security policies and   updates (if any) were in accordance with     personnel to Information Assurance roles\nprocedures (i.e. application security plan,         DoD and National Institute of Standards      were not specified in writing, nor were duties\nsecurity manuals) containing the following          and Technology guidance.                     and appointment criteria described.\nelements of DoDI 8500.2 and National\nInstitute of Standards and Technology Special\nPublication 800-18, \xe2\x80\x9cGuide for Developing\nSecurity Plans for Information Technology\nSystems\xe2\x80\x9d:\n\n   a. Roles and responsibilities of\n      application security officer(s), user\n      managers, users, etc.\n   b. Procedures for granting, modifying,\n      and removing access.\n   c. Standard job profiles.\n   d. Periodic re-certification of user access.\n   e. Monitoring and timely follow-up to\n      access violations and other security-\n      related reports.\n   f. Access only by valid combination of\n      log-on IDs and individual passwords\n      (one unique ID per user).\n   g. Minimum password length (i.e. 8\n      characters).\n   h. Password character composition (e.g. 1\n                                                                     40\n\x0cControl Description                             Tests of Operating Effectiveness      Results of Tests of Operating Effectiveness\n      numeric, 1 special, 1 symbol, 1\n      character required).\n  i. Password change period (minimum and\n      maximum number of days).\n  j. Number of password generations.\n  k. Use of encrypted passwords.\n  l. User ID is locked out after a prescribed\n      number of log on failures.\n  m. Deletion of log-on IDs and passwords\n      for separated or reassigned employees.\n  n. Simultaneous use of the same user\n      ID/password is prohibited.\n  o. Menu selections displayed are\n      restricted based upon the access\n      privileges defined by the user ID.\n\nControl Activity:\nSP-2.2 The security plan is kept current.\n\nControl Description                             Tests of Operating Effectiveness      Results of Tests of Operating Effectiveness\nDISA                                            DISA                                  DISA\nSecurity plan is reviewed annually.             Inspected the security plan and the   DECC-Columbus security plan did not\n                                                SSAA.                                 assess changes made to security or the\nSecurity plan is updated annually or as                                               interconnection of systems when changes are\nnecessary.                                                                            made.\n\n\n\n\n                                                                41\n\x0cControl Activity:\nSP-3 Establish a security management structure and clearly assign security responsibilities.\n\nControl Description                              Tests of Operating Effectiveness             Results of Tests of Operating Effectiveness\nDFAS                                             DFAS                                         DFAS\nThe DBMS security plan contains the              Inspected the security plan to ensure that   In the DBMS security plan, the appointed\nfollowing:                                       updates (if any) were in accordance with     personnel to Information Assurance roles\n                                                 DoD and National Institute of Standards      were not specified in writing, nor were duties\n a. Effective usage date.                        and Technology guidance.                     and appointment criteria described.\n b. Name of the person who is responsible\n     for the application.\n c. Assignment of responsibilities, in writing\n     to ensure that the application has\n     adequate security.\n d. Description of the following application\n     risk attributes, if applicable:\n    \xe2\x80\xa2 Connected to the Internet.\n    \xe2\x80\xa2 Located in a harsh or overseas\n        environment.\n    \xe2\x80\xa2 Software is rapidly implemented.\n    \xe2\x80\xa2 Software resides on an open network\n        used by the general public or with\n        overseas access.\n e. Whether the application is processed at a\n     facility outside of the organization\'s\n     control.\n f. Dial-up access support for vendors.\n g. The security plan contains Rules of\n     Behavior including topics such as, but\n     not limited to:\n                                                                  42\n\x0cControl Description                             Tests of Operating Effectiveness             Results of Tests of Operating Effectiveness\n   \xe2\x80\xa2 Responsibilities of users and user\n       management;\n   \xe2\x80\xa2 Other policies & procedures unique to\n       the application and its users;\n   \xe2\x80\xa2 Application rules (i.e. business rules,\n       planned downtime, etc.); and\n   \xe2\x80\xa2 Dial-in procedures.\n\nControl Activity:\nSP-3.1 A security management structure has been established.\n\nControl Description                             Tests of Operating Effectiveness             Results of Tests of Operating Effectiveness\nDISA                                            DISA                                         DISA\nThe DISA Computing Services Security            Inspected the site organization charts,      No relevant exceptions were noted.\nHandbook defines the responsibilities of the    SSAA, and letters of appointment.\nDirectors, DISA Security Officer, DISA\nDesignated Approval Authority, DISA             Inquired about the site security structure\nCertification Authority, Commander of DISA      from the Information System Security\nComputing Services Security Manager, DISA       Manager.\nComputing Services ISSO, Network Security\nOfficer, and TASO.\n\nControl Activity:\nSP- 3.2 Information security responsibilities are clearly assigned.\n\nControl Description                             Tests of Operating Effectiveness             Results of Tests of Operating Effectiveness\nDISA                                            DISA                                         DISA\nThe roles and responsibilities of the           Inspected the SSAA, security plan,           The SMC-Ogden security plan was not\nInformation Assurance Manager, Information      security features user guide, rules of       complete. Specifically, the plan did not\n\n                                                                 43\n\x0cControl Description                           Tests of Operating Effectiveness        Results of Tests of Operating Effectiveness\nAssurance Officer, and Security Manager are   behavior, and DISA Computing Services   sufficiently address all requirements outlined\noutlined in the appointment orders.           Security Handbook.                      in DoDI 8500.2. Specifically, the security\n                                                                                      plan:\n\n                                                                                      \xe2\x80\xa2 Did not specify, in writing, the IA roles\n                                                                                        of appointed personnel nor are their\n                                                                                        duties and appointment criteria described.\n                                                                                      \xe2\x80\xa2 Was not compliant with encryption\n                                                                                        requirement of Federal Information\n                                                                                        Processing Standard 140-2, \xe2\x80\x9cSecurity\n                                                                                        Requirements for Cryptographic\n                                                                                        Modules\xe2\x80\x9d, which requires that\n                                                                                        \xe2\x80\x9cunclassified, sensitive data transmitted\n                                                                                        through a commercial or wireless\n                                                                                        network be encrypted using NIST-\n                                                                                        certified cryptography.\xe2\x80\x9d Though the plan\n                                                                                        states that mitigation is described in\n                                                                                        Appendix Q, no Appendix Q was\n                                                                                        attached to the SSAA.\n                                                                                      \xe2\x80\xa2 Did not specify the password minimum\n                                                                                        or maximum change period.\n                                                                                      \xe2\x80\xa2 Did not specify whether menu selections\n                                                                                        were restricted based on access\n                                                                                        privileges.\n\n\n\n\n                                                            44\n\x0cControl Activity:\nSP-3.3 Owners and users are aware of security policies.\n\nControl Description                             Tests of Operating Effectiveness         Results of Tests of Operating Effectiveness\nDISA                                            DISA                                     DISA\nDISA Instruction 630-230-19, \xe2\x80\x9cAutomated         Inspected security awareness training    35 of 45 employees did not attend new hire\nData Processing \xe2\x80\x93 Information System Security   material for new employees and the       security awareness training and three of 45\nProgram\xe2\x80\x9d and the DISA Computing Services        annual training material for current     did not attend annual security awareness\nHandbook provide guidelines on security         employees.                               training at SMC-Ogden.\ntraining.\n                                                Inspected flyers and other means of      Eight of 45 employees did not attend annual\n                                                security awareness communicated to       security awareness training at DECC-\n                                                employees.                               Columbus.\n\n                                                Inspected security training completion\n                                                sheets and attendance sheets.\n\nControl Activity:\nSP-3.4 An incident response capability has been implemented.\n\nControl Description                             Tests of Operating Effectiveness         Results of Tests of Operating Effectiveness\nDISA                                            DISA                                     DISA\nThe DISA Computing Services Security            Inquired to personnel about incident     Incident response process in SMC-Ogden\nHandbook provides guidance on handling          response responsibilities.               was not specified in the SSAA.\nincidents, incident reporting structure, and\nprioritization of incidents.                    Inspected site SSAA, DISA Computing\n                                                Services Security Handbook, Network\n                                                Operations Center Columbus Standard\n                                                Operating Procedure Incident Response.\n\n\n                                                                45\n\x0cControl Activity:\nSP-4 The current processing environment has been authorized by management.\n\nControl Description                                Tests of Operating Effectiveness        Results of Tests of Operating Effectiveness\nDFAS                                               DFAS                                    DFAS\nA C&A has been performed within the last 3         Inquired if a C&A had been performed in No relevant exceptions were noted.\nyears in accordance with DITSCAP. C&A              accordance with DITSCAP.\npackage contains the following elements:\n                                              Inspected the C&A package as part of the\n\xe2\x80\xa2 The Designated Approving Authority and      DITSCAP process.\n  the Security Manager have signed the\n  statement.\n\xe2\x80\xa2 Management completed the C&A at the\n  time the application moved into production.\n\xe2\x80\xa2 The C&A did not result in an interim\n  authority to operate.\n\nControl Activity:\nSP-4.2 Employees have adequate training and expertise.\n\nControl Description                                Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\nDISA                                               DISA                                        DISA\nTraining and Certification requirements for        Inspected job descriptions, personnel       Configuration management staff at SMC-\nusers and system administrators are established    records, and education records.             Ogden did not have adequate training.\nby DoD and DISA policies.\n                                                   Inspected training tracking sheets.         Two of nine individuals did not receive\nThe DISA Computing Services Security                                                           adequate training.\nHandbook outlines several different                Inquired of security personnel about the\ncertification courses that system administrators   training and the DISA policy on training.\nshould take depending on the designated level.\n                                                                   46\n\x0cControl Activity:\nSP\xe2\x80\x935.2 Management ensures that corrective actions are effectively implemented.\n\nControl Description                                 Tests of Operating Effectiveness           Results of Tests of Operating Effectiveness\nDISA                                                DISA                                       DISA\nDECC-Columbus maintains a plan of action            Inquired management about the plan of      No relevant exceptions were noted.\nand milestones that tracks all issues identified    action and milestones process.\nthrough a Security Readiness Review including\nspecific weaknesses, resources needed to            Inspected the current plan of action and\nimplement corrective actions, progress in           milestones, Corrective Action Plan, and\naddressing weaknesses, and scheduled                Vulnerabilities Management System.\ncompletion basis. It is the responsibility of the\nDECC-Columbus primary security official to\nsend a status to DISA Field Security Office to\nupdate their progress on the plan of action and\nmilestones issues\n\nChange Control (CC)\n\nEffective change controls provide reasonable assurance that DFAS-Columbus has implemented processes to ensure that DBMS\nsoftware modification responsibilities are carried out in accordance with applicable guidelines. These change control procedures and\nprocesses ensure that DBMS processing features and program modifications are properly authorized, new or revised DBMS software\nis tested and approved, and software libraries are controlled.\n\n\n\n\n                                                                    47\n\x0cControl Activity:\nCC-1.1 A System Development Life Cycle methodology (SDLC) has been implemented.\n\nControl Description                                Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\nDFAS                                               DFAS                                        DFAS\nA SDLC methodology has been developed and          Inquired of management on DFAS-             No relevant exceptions were noted.\napproved. The SDLC:                                Columbus responsibilities for change\n                                                   control.\n\xe2\x80\xa2   Provides a structured approach consistent\n    with generally accepted concepts and           Inspected change control procedures in\n    practices, including active user               place to ensure responsibilities were\n    involvement throughout the process.            carried out in accordance with the SDLC.\n\xe2\x80\xa2   Is sufficiently documented to provide\n    guidance to staff with varying levels of       Inspected any deviations from a standard\n    skill and experience.                          set of change control procedures.\n\xe2\x80\xa2   Provides a means of controlling changes in\n    requirements that occur over the system\xe2\x80\x99s      Inquired of staff involved in developing\n    life.                                          and testing software regarding whether\n\xe2\x80\xa2   Includes documentation requirements.           they had been trained and were familiar\n\xe2\x80\xa2   Program staff and staff involved in            with the use of the SDLC methodology.\n    developing and testing software have been\n    trained and are familiar with the use of the   Inspected the DBMS configuration\n    organization\xe2\x80\x99s SDLC methodology.               management process and software\n                                                   quality assurance controls.\n\n                                                   Inspected training records to ensure that\n                                                   site personnel had been trained on their\n                                                   change control-related responsibilities.\n\n\n                                                                   48\n\x0cControl Activity:\nCC-1.2 Authorizations for software modifications are documented and maintained.\n\nControl Description                             Tests of Operating Effectiveness      Results of Tests of Operating Effectiveness\nDISA                                            DISA                                  DISA\nInformational \xe2\x80\x9crequest\xe2\x80\x9d is entered into the     Inspected a sample of changes for     DECC-Columbus did not track software\nChange Control Board Database to keep           appropriate request and development   changes through development, testing, and\ntrack of all the changes.                       documentation, and approvals.         production.\n\nSoftware changes are not made on-site at\nDECC-Columbus but all modifications are\ndone at Change Design Activities (CDA).\nAs appropriate software becomes available,\ncustomers request that DECC-Columbus\ninstall the software.\n\nFor the mid-tier systems, the software is\ndownloaded into a separate directory used\nonly for downloads. After the software is\ndownloaded by CDA, one of the IT\nSpecialists installs the software from that\ndirectory into a test directory or system so\nthat the customer can test the program before\nit goes into production.\n\nFor the mainframes, the IT Specialists\ndownload the software from the appropriate\nsoftware download site and install it onto a\ntest LPAR.\n\n                                                                 49\n\x0cControl Description                                     Tests of Operating Effectiveness          Results of Tests of Operating Effectiveness\n\nDFAS                                                    DFAS                                      DFAS\nSoftware change requests follow a prescribed            Obtained and inspected a list of recent   18 of 19 mid-tier change releases were missing\nchange control process including:                       software modifications (regular and       either the ATQ 1 signature or the Program\n                                                        emergency changes). For a sample of       Management Office signature block.\n      \xe2\x80\xa2   Documenting all software change               changes, inspected documentation to\n          requests;                                     determine whether the following           Three of five major/minor release test plans\n      \xe2\x80\xa2   Preparing specification of changes;           requirements were met:                    provided did not have results documented.\n      \xe2\x80\xa2   Version control of changes;\n      \xe2\x80\xa2   Conducting unit and process testing; \xe2\x80\xa2 DFAS completed application change\n      \xe2\x80\xa2   Completing test plans;                 request forms;\n      \xe2\x80\xa2   Approval of changes by appropriate   \xe2\x80\xa2 Appropriate management authorized\n          manager; and                           these forms;\n      \xe2\x80\xa2   Coordinating implementation with the \xe2\x80\xa2 Each change request form had a unique\n          System Owner.                          identification number;\n                                               \xe2\x80\xa2 Change specifications were clearly\n                                                 documented;\n                                               \xe2\x80\xa2 A configuration management plan\n                                                 existed;\n                                               \xe2\x80\xa2 Documented test plans and results\n                                                 existed to support the change;\n                                               \xe2\x80\xa2 DFAS documented and analyzed test\n                                                 failures to detect ineffective testing;\n                                               \xe2\x80\xa2 Changes were moved into production\n                                                 following management\xe2\x80\x99s approval; and\n                                               \xe2\x80\xa2 DFAS documented user acceptance.\n\n\n1\n    ATQ is an office code within DFAS-Columbus. This is not an acronym.\n                                                                          50\n\x0cControl Description                             Tests of Operating Effectiveness           Results of Tests of Operating Effectiveness\n                                                Inquired as to the frequency of\n                                                Configuration Control Board meetings for\n                                                changes affecting the site.\n\nControl Activity:\nCC-2.1 Changes are controlled as programs progress through testing to final approval.\n\nControl Description                            Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\nDISA                                           DISA                                        DISA\nInformational \xe2\x80\x9crequest\xe2\x80\x9d is entered into the    Inspected the sample of changes for test    DECC-Columbus did not track software\nChange Control Board Database to keep          plans.                                      changes through development, testing, and\ntrack of all the changes.                                                                  production.\n\nSoftware changes are not made on-site at\nDECC-Columbus but all modifications are\ndone at CDA. As appropriate software\nbecomes available, customers request that\nDECC-Columbus install the software.\n\nFor the mid-tier systems, the software is\ndownloaded into a separate directory used\nonly for downloads. After the software is\ndownloaded by CDA, one of the IT\nSpecialists installs the software from that\ndirectory into a test directory or system so\nthat the customer can test the program\nbefore it goes into production.\n\nFor the mainframes, the IT Specialists\n\n                                                                  51\n\x0cControl Description                            Tests of Operating Effectiveness              Results of Tests of Operating Effectiveness\ndownload the software from the appropriate\nsoftware download site and install it into a\ntest LPAR.\n\nDFAS                                          DFAS                                           DFAS\nChanges to DBMS are logged to provide         Inquired whether changes to applications       No relevant exceptions were noted.\n\xe2\x80\x9ctrace-back\xe2\x80\x9d ability.                         were logged to provide \xe2\x80\x9ctrace-back\xe2\x80\x9d ability.\n                                              Inspected supporting documentation for five\nAt each level of testing, there is management last major changes.\napproval before proceeding to the next level\nof testing. Evidence of management is         Inquired as to whether at each level of\nmaintained.                                   testing, there was management approval\n                                              before proceeding to the next level of\nAn independent group, such as Quality         testing.\nAssurance, moves changes between\ndevelopment, testing, and production          Inquired as to what type of data was used\nenvironments.                                 during the testing of changes made to\n                                              DBMS. Also, observed who reviewed and\nSecurity requirements are considered and      accepted test results.\napproved. These security features are tested\nfor emergency changes.                        Inquired as to who was responsible for\n                                              moving changes between development,\nSupporting documentation for system           testing, and production environments.\nadministrator, operators, and end-users were\nupdated after changes/modifications to the    Inquired if supporting documentation for\nselected sample systems.                      system administrator, operators, and end-\n                                              users was updated after\n                                              changes/modifications to the selected\n                                              sample systems.\n                                                                 52\n\x0cControl Description                                   Tests of Operating Effectiveness              Results of Tests of Operating Effectiveness\n\n                                                      Inspected Release letters with functional\n                                                      documentation.\n\nControl Activity:\nCC-2.2 Emergency changes are promptly tested and approved.\n\nControl Description                                    Tests of Operating Effectiveness              Results of Tests of Operating Effectiveness\nFinalized policies and procedures are in place         Inspected policies and procedures in place    16 of 45 emergency change releases did not\nfor emergency changes. These documents                 for emergency changes to determine if         have documentation to support the changes.\nrequire emergency changes to be recorded               emergency changes were recorded and\nand approved by management; and normal                 approved by management; and normal            Two of 29 emergency change releases did\nchange request forms and documentation are             change request forms and documentation        not have the appropriate signatures on the\nto be completed after the emergency change.            were completed after the emergency change.    Technical Management Certification Release\n                                                                                                     Quality Certification Checklists.\n\n                                                                                                     One of 29 emergency releases was missing\n                                                                                                     the appropriate signature on Release Quality\n                                                                                                     Certification Checklist Product Integration\n                                                                                                     Certification.\n\n                                                                                                     Six of 29 emergency change releases and 19\n                                                                                                     of 19 mid-tier releases did not have a\n                                                                                                     Technical Management Verification\n                                                                                                     signature on the TCA/CO 2 Transmittal\n                                                                                                     Forms.\n\n\n2\n    TCA/CO is an office code with DFAS-Columbus. This is not an acronym.\n\n                                                                           53\n\x0cControl Description                            Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\n                                                                                              26 of 29 emergency change releases were\n                                                                                              missing either the ATQ signature or the\n                                                                                              Program Management Office signature block\n                                                                                              on the Quality Certification Checklist.\n\nControl Activity:\nCC-3.1 Programs are labeled and inventoried.\n\nControl Description                            Tests of Operating Effectiveness              Results of Tests of Operating Effectiveness\nFinalized policies and procedures exist for    Inspected policies and procedures for the     No relevant exceptions were noted.\nthe labeling and inventorying of DBMS          labeling and inventorying of software\nprograms.                                      programs.\n\nDFAS-Columbus uses automated software          Inquired if DFAS-Columbus used automated\nlibraries to record the movement of software   software libraries that record the movement\napplications. DFAS-Columbus maintains          of software applications.\nthe following:\n                                               Inspected a listing of the programs\n\xe2\x80\xa2   An audit trail of program changes;         maintained in each library.\n\xe2\x80\xa2   Current program version numbers;\n\xe2\x80\xa2   The location of prior versions; and\n\xe2\x80\xa2   Location and status of physical media.\n\nControl Activity:\nCC-3.2 Access to program libraries is restricted.\n\nControl Description                            Tests of Operating Effectiveness              Results of Tests of Operating Effectiveness\nDFAS-Columbus has established separate         Inquired if DFAS-Columbus had separate        No recertification policy or process was in\n\n                                                                  54\n\x0cControl Description                           Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\nenvironments for development, testing, and    environments for development, testing, and     place to ensure that user access and privileges\nproduction. DFAS-Columbus restricts the       production.                                    in DBMS were appropriate.\nunauthorized access and/or modification of\nsource code via RACF/Endeavor.                Inquired how access was controlled between\n                                              these environments (development, test, and\nProgrammers/developers do not have access     production) for non-end users.\nto the production environment, and end\nusers do not have access to the development   Inspected a listing of non-end users with\nand test environments.                        access to development and test, and\n                                              production environments.\nThe development environment is certified\nand accredited.                               Inquired if source code for the most recent\n                                              version of DBMS was maintained in a\nThe source code for the most recent DBMS      separate library from production code.\nversion is maintained in a separate library\nfrom production code.                         Inspected a listing/inventory of program\n                                              tapes/media.\nDFAS maintains backup tapes/media for\nproduction library.                           Inspected the existence of a sample of ten\n                                              program tapes/media either in the library or\n                                              with the individual responsible for\n                                              withdrawing the tapes/media.\n\nControl Activity:\nCC-3.3 Movement of programs and data among libraries is controlled.\n\nControl Description                           Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\nFinalized policies and procedures exist for   Inspected policies and procedures for          No relevant exceptions were noted.\nmovement of program code between              movement of program code between\n\n                                                                 55\n\x0cControl Description                            Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\nlibraries.                                     libraries.\n\nThe movement of changes are approved and       Inquired if movement of changes were\ndocumented by responsible management.          documented and approved.\n\n                                               Inspected recent changes and screen prints\n                                               of the changes.\n\nAuthorization (AN)\n\nOnly authorized transactions should be entered into DBMS and processed by the computer. Assessing authorization controls involves\nevaluating the entity\xe2\x80\x99s ability to effectively perform the following critical elements:\n   \xe2\x80\xa2 All data are authorized before entering DBMS.\n   \xe2\x80\xa2 Data entry terminals are restricted to authorized users for authorized purposes.\n   \xe2\x80\xa2 Master files and exception reporting help ensure all data processed are authorized.\n\nControl Activity:\nAN-1.1 Source documents are controlled and require authorizing signatures.\n\nControl Description                           Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\nInput transactions received are entered       Inspected the applicable standard operating    No relevant exceptions were noted.\neither by interfaces from another system or   procedures for entering transactions into\nare input manually by Accounting              DBMS.\nTechnicians.\n                                              Obtained and inspected a listing of function\nAll transactions are assigned unique          code prefixes.\nfunction code prefixes to identify source.\n                                              Obtained and inspected examples of source\n\n                                                                  56\n\x0cControl Description                          Tests of Operating Effectiveness          Results of Tests of Operating Effectiveness\nKey source documents require authorizing     documents used to enter each class of\n(at least one of the following) signatures   obligations, which includes:\n(Supervisor, Contract Officer, Resource\nManager, Billing Official) for:                  a.   Commitments,\n                                                 b.   Obligations,\n   \xe2\x80\xa2    1081 \xe2\x80\x93 Accounting adjustment             c.   Work Counts,\n        document;                                d.   Expenses,\n    \xe2\x80\xa2 Modification of Documentation \xe2\x80\x93            e.   Disbursements,\n        Used to modify an existing               f.   Payables,\n        contract;                                g.   Receivables, and\n    \xe2\x80\xa2 Military Interdepartmental Purchase        h.   Journal vouchers.\n        Requests \xe2\x80\x93 Used for procurement of\n        commercial supplies and/or         Observed Accounting Operations staff\n        services; and                      perform their job functions and process\n    \xe2\x80\xa2 Contracts \xe2\x80\x93 Binding documents        block tickets for different transactions.\n        with outside vendors.\n                                           Inquired where original source\nManual source documents are controlled     documentation was stored.\nwith a block number assigned by DDARS.\n                                           Inspected prepared source documents and\nBlock numbers are used to maintain         batches.\nsequence control and accountability over\nthe documents.                             Inspected procedures for recording and\n                                           tracking pre-numbered documents.\nVouchers within the block are totaled on\nthe block by appropriation code.\n\nAccounting Operations is responsible for\nverifying all manual input documents\n\n                                                                 57\n\x0cControl Description                            Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\nthrough control totals and identification of\nuser ID of technician who was responsible\nfor the input.\n\nControl Activity:\nAN-1.2: Supervisory or independent reviews of data occur before data enter the application.\n\nControl Description                             Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\nData control unit personnel verify that         Inspected standard operating procedures for     No relevant exceptions were noted.\nsource documents are properly prepared and      entering data into DBMS. Inquired on\nauthorized.                                     security controls in place to prevent\n                                                unauthorized users from entering fraudulent\nData control unit personnel monitor data        transactions.\nentry and processing of source documents.\n                                                Inquired if supervisory review of\n                                                transactions takes place through signed\n                                                document, email, or other means.\n\n                                                Observed the Block Ticket process.\n\n                                                Inspected Block Ticket transactions.\n\nControl Activity:\nAN-2.1 Data entry terminals are secured and restricted to authorized users.\n\nControl Description                         Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\nDD Form 2875 must be completed by           Inquired to the ISSO about the procedures in        Inadequate security settings were in place to\nindividual requesting access with required  place to obtain a DBMS user ID.                     ensure that DFAS-Columbus computer users\nsupervisor signature. An additional program                                                     were automatically logged out of their\n                                                                   58\n\x0cControl Description                            Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\nworksheet annotating which accesses is         Inquired about additional logical access       terminals after a specified period of inactivity.\nrequired and must be submitted with the DD     controls in place to restrict access to user   In addition, computer terminals were left\nForm 2875, which requires supervisor           terminals.                                     unattended with CACs inserted and screen lock\nsignature. The DD Form 2875 is sent to the                                                    not activated.\nsecurity manager to validate the background    Inquired and observed how workstations\ninvestigation or clearance information.        were secured to prevent unauthorized           DBMS password settings, controlled by\n                                               access.                                        ENTIRE, were not compliant with DoDI\nFor external users only, a supervisor                                                         8500.2. None of the password settings, for\nsignature and security clearance from their    Inquired and observed how DBMS users           either the TSO or the DBMS application, could\nlocation is required, prior to submission to   access the application. Inquired if a          be verified by viewing the actual CINCOM\nDFAS-Columbus.                                 supervisor was required to approve the         ENTIRE program logic. The following\n                                               logon for each session.                        ENTIRE settings were not in compliance with\nAdditional program worksheet annotating                                                       DoDI 8500.2:\nwhich access levels are required must be       Inquired if each user was required to use a\nsubmitted with the DD Form 2875. The           different user ID.                             \xe2\x80\xa2   Passwords with at least one alphabet,\nworksheet requires supervisor signature.                                                          numeric, and special character. Passwords\nFor certain access levels, some menus          Observed and inspected the password                are not case sensitive.\nrequests require the Division Chief\xe2\x80\x99s          settings used for DBMS. Inspected the          \xe2\x80\xa2   New password with three changed\nsignature.                                     DBMS environment password                          characters.\n                                               configurations to determine if they were set   \xe2\x80\xa2   Password encryption (DFAS-Columbus can\nDECC-Columbus would assign the program         to the following parameters:                       not prove that passwords are properly\naccess. The TASOs would assign the                                                                encrypted).\nActivity access and notify the user of their   \xe2\x80\xa2   Be at least eight characters;\nuser ID and temporary password.                \xe2\x80\xa2   Include at least one upper case, one       Six users who were listed as separated still had\n                                                   lower case, number, and one special        active DBMS user accounts.\nData entry is accomplished through a               character;\npassword protected (CAC) terminals which       \xe2\x80\xa2   Require that at least four characters be   DFAS-Columbus procedures and processes\nare located on the users\xe2\x80\x99 desks.                   changed when creating a new password;      over DBMS user account management did not\n                                               \xe2\x80\xa2   Force default/factory setting passwords    comply with the DFAS-Columbus Handbook\n\n                                                                   59\n\x0cControl Description                             Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\nWhen a terminal is not in use, the terminal        to be removed/changed upon initial use;     for Systems Access Management and Control\nCAC is removed and the terminal is locked.      \xe2\x80\xa2 Contain system mechanisms to force           and DoDI 8500.2. The following control\nThe system requires a CAC, as well as user         automatic expiration of passwords and       weaknesses were identified:\nID and password, for re-entry into the             prevent password reuse; and\nnetwork. A separate/unique user ID and          \xe2\x80\xa2 Require password files to be encrypted.      \xe2\x80\xa2   171 of 209 users did not have DD Form\npassword is required to log-on to DBMS.                                                            2875 on file at DFAS-Columbus. Only 13\n                                                Inquired if users could access the                 of the 38 who did have files maintained had\nDBMS is programmed to allow data entry          application directly or if they needed to          their access request form, DD Form 2875s,\nconnections (i.e., \xe2\x80\x9csign-on\xe2\x80\x9d) during            logon to the local area network or                 correctly filled out, and only 20 had access\nspecified periods of the day that correspond    mainframe first.                                   request worksheets, specifying the function\nwith the online hours of the system.                                                               codes. The remaining 25 access request\n                                                Inspected the DBMS user list, current              forms and 17 access request worksheets\nData entry connections automatically            employee list and terminated employee list.        were either incomplete, missing DBMS\ndisconnects from the system after 15                                                               TASO signatures, or did not have\nminutes of inactivity.                          Inspected 209 access request forms.                appropriate justification.\n\nInternal users are required to sign             Inquired on re-certification of user and       \xe2\x80\xa2   No recertification policy or process was in\nacknowledgement forms stating their             programmer access.                                 place to ensure that user access and\nresponsibility for their account ID and                                                            privileges in DBMS were appropriate.\ntemporary password.                             Inquired if users were locked from accessing       DFAS-Columbus management had no way\n                                                the application during specific periods.           of knowing when external users no longer\nSign-on requires users to establish             Inspected the output of attempting to logon        needed access unless their supervisors\npasswords known only to them.                   to a workstation outside of the permitted          informed the DBMS TASOs. Furthermore,\n                                                window.                                            DFAS-Columbus management did not\nAll transactions are logged as entered, along                                                      periodically review application\nwith the ID of the person entering the data.    Inquired if users were disconnected after a        programmer privileges access and\n                                                specific period of inactivity.                     privileges.\n\n                                                Inquired if successive logon attempts were     DFAS-Columbus did not have procedures and\n                                                                   60\n\x0cControl Description                             Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\n                                                controlled and monitored.                      processes in place to review the access logs for\n                                                                                               DBMS for either unauthorized accounts or\n                                                Inquired if users could access the             inappropriate user activity. No previous log\n                                                application via dial-up. Inquired what types   reviews existed to verify that access logs were\n                                                of users had dial-up access and if the         properly created and periodically monitored.\n                                                transmission was encrypted.\n\n                                                Inquired what controls were established for\n                                                dial-up.\n\n                                                Inquired if access logs were maintained by\n                                                DBMS.\n\n                                                Inquired on and inspected procedures for\n                                                review of the access logs.\n\n                                                Inspected example of DBMS access logs.\n\nControl Activity:\nAN-2.2: Users are limited in what transactions they can enter.\n\nControl Description                             Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\nSecurity is exercised by the system at levels   Inquired if DBMS had authorization profiles    DFAS-Columbus procedures and processes\nin the processing cycle through the system      for the application and SUPRA. Inquired to     over DBMS user account management did not\nsign-on, menu selections/authorization, and     DBMS management if the access matrix in        comply with the DFAS-Columbus Center\nactivity identity.                              the SSAA was followed.                         Handbook for Systems Access Management\n                                                                                               and Control and DoDI 8500.2. Specifically:\nUser access is restricted by the user-          Inspected the adequacy of the general\nassigned functions and password. This           controls over authorization profiles.          \xe2\x80\xa2   Position descriptions could only be\n\n                                                                   61\n\x0cControl Description                            Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\nsecurity is authenticated through SUPRA.                                                          provided for 15 of 38 users. Of these 15,\nSUPRA applies security to activities that      Inspected the listing of the DBMS profiles         one did not justify needing access to\nhave the accounting function completed at      and their description.                             DBMS.\nDFAS.\n                                               Inquired and inspected the types of activities \xe2\x80\xa2    There was no process in place to verify that\nThe user must be authorized to sign on to      authorization profiles were used to control.        supervisors properly assigned function\nDBMS. Subsequent access will be                                                                    codes to promote segregation of duties.\ndetermined by management and                   Inspected 209 access request forms.\nimplemented by the Automated Data                                                              \xe2\x80\xa2   Nine of 37 users had access request\nProcessing Field Security Representative.      Inquired and inspected that authorization           worksheets that correctly matched the\n                                               profiles limited the dollar amount of a             user\xe2\x80\x99s actual access in DBMS.\nAuthorization will link the user to either     transaction a user could enter, edit, or\nAppropriation Accounting Programs or a         approve.\nsubsequent menu which authorizes access to\nonly a limited number of function codes        Inspected documentation to determine\nwithin DBMS. Access is based on assigned       whether access to menus/screens\ntasks, not job descriptions.                   corresponds to the users\xe2\x80\x99 defined duties.\n\nSign-on requires the user to establish a       Inspected 209 access forms and compared\npassword known only to the user which will     them to the UTYS02 (user list) report to\nfurther restrict access.                       determine that users had access to what was\n                                               approved.\n\nControl Activity:\nAN-3.1: Master files help identify unauthorized transaction.\n\nControl Description                           Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\nBefore transactions are processed, they are   Inspected documentation on validity and        No relevant exceptions were noted.\nverified using master files of approved       accuracy checks performed on data fields.\n                                                                  62\n\x0cControl Description                           Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\nlines of accounting as appropriate for the    Inquired from the DBMS programmers\napplication. Master files consist of:         how data was verified and what type of\n                                              information was verified before the\n       \xe2\x80\xa2   LACT (a program file),             transaction was processed.\n       \xe2\x80\xa2   Master Accounting Data, and\n       \xe2\x80\xa2   Matrix.                            Inquired how master files that contained\n                                              vendor, customer, or other sensitive\nMaster file LACT that does the verification   information were secured.\nis protected from unauthorized\nmodifications.                                Inquired who had access to master files.\n                                              Inquired how access was granted and\n                                              whether it was noted on access request\n                                              form.\n\n                                              Inspected and observed a sample of\n                                              function codes for the tables, confirming\n                                              that transactions verify information in the\n                                              tables or files properly.\n\nControl Activity:\nAN-3.2: Exceptions are reported to management for their review and approval.\n\nControl Description                            Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\nGeneral ledger account code adjustments,       Inquired if DBMS produced a violation file       No relevant exceptions were noted.\nbased on parameters established by the         of rejected information (hard or soft\nstandard operating procedure Journal           formats).\nVouchers Adjustments to the General\nLedger, are tracked on a monthly report for    Inspected violation reports for the past six\nmanagement review and approval.                months for receivables-reimbursable and\n\n                                                                   63\n\x0cControl Description                           Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\n                                              non-reimbursable, SRD-1, and BOSS\n                                              violation control listing, and BOSS invalid\n                                              transaction journal.\n\n                                              Inquired if there were criteria for\n                                              exception/rejection reporting.\n\n                                              Inspected documentation establishing\n                                              reporting parameters for exception/rejection\n                                              reporting.\n\nCompleteness (CP)\n\nAll authorized transactions should be entered into and completely processed by the computer. Assessing the controls over\ncompleteness involves evaluating the DEFAS-Columbus\xe2\x80\x99 ability to effectively:\n    \xe2\x80\xa2 Ensure all authorize transactions are entered into and processed by the computer.\n    \xe2\x80\xa2 Ensure reconciliations are performed to verify data completeness.\n\nControl Activity:\nCP-1.1 Record counts and control totals.\n\nControl Description                          Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\nDDARS generated block tickets provide        Inspected documented procedures for using       No relevant exceptions were noted.\nestablished counts and control totals over   record counts and control totals when\nsource documents, utilizing the Disbursing   entering transactions.\nDaily Cash Blotter to help determine the\ncompleteness of the data entry and data      Inquired how record counts were generated.\nprocessing.                                  Obtained and inspected output of the counts\n                                             developed.\n                                                                  64\n\x0cControl Description                             Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\nOnline or real-time system and control totals\nper appropriation are reflected on each         Inquired how the accumulation of record\ncontrol block (daily) and are used to help      counts were used, and how they were\ndetermine the completeness of data entry        recorded (each session, daily or other\nand processing.                                 frequently).\n\nControl Activity:\nCP-1.2 Computer sequence checking.\n\nControl Description                             Tests of Operating Effectiveness           Results of Tests of Operating Effectiveness\nSequence checking is used to identify           Inquired if serial numbers from source     No relevant exceptions were noted.\nmissing or duplicate transactions through       documents were used for sequence checking.\nauto-marking in DDARS.\n                                                Inquired if a sequence checking review was\nReports of missing or duplicate transactions    performed to check for duplicate or missing\nare produced from DDARS. Exceptions are         transactions.\ninvestigated and resolved by month-end.\n                                                Obtained and inspected examples of the\n                                                sequence checking reports. Inquired what\n                                                actions were taken for duplicate or missing\n                                                documents.\n\nControl Activity:\nCP-1.3 Computer matching of transaction data.\n\nControl Description                             Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\nComputer matching of transaction data with      Inquired if unique identifiers were assigned   No relevant exceptions were noted.\ndata in master or suspense files occurs to      to each transaction.\nidentify missing or duplicate files.            Inquired if DBMS performed automated\n\n                                                                   65\n\x0cControl Description                           Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\n                                              checks of transactions to identify missing or\nDDARS reports of missing or duplicate files   duplicate transactions.\nare produced and items are investigated and\nresolved by month-end.                        Inspected policies and procedures to\n                                              determine how missing or duplicate\n                                              transactions were reported and investigated.\n\n                                              Inspected how missing or duplicate\n                                              transactions were investigated and resolved.\n\nControl Activity:\nCP-1.4 Checking reports for transaction data.\n\nControl Description                           Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\nIndividual transactions or source documents   Inquired if users (internal and external) of    No relevant exceptions were noted.\nare compared through DDARS auto-              DBMS compared source documentation to\nmarking, with a detail listing of items       reports produced by DBMS to verify\nprocessed by the computer, particularly to    information is accurate.\ncontrol important low-volume, high-value\ntransactions.                                 Inquired if transactions considered low\n                                              volume, but high dollar value were reviewed\n                                              separately with source documentation.\n\n                                              Inspected the procedures regarding source\n                                              documentation.\n\n                                              Observed Accounting Technicians\n                                              performing their job functions for the\n                                              purpose of inspecting source documentation.\n                                                                  66\n\x0cControl Activity:\nCP-2.1 Reconciliations show the completeness of data processed at points in the processing cycle.\n\nControl Description                              Tests of Operating Effectiveness             Results of Tests of Operating Effectiveness\nRecord counts and control totals are             Inquired how management ensured that all     Although DFAS represented that a header and\nestablished by block totals and reconciled       transactions were complete once they were    trailer were required for all files sent from\nwith transaction data manually and through       entered into DBMS.                           interfacing systems, DBMS accepted files in\nDDARS auto-marking.                                                                           its entirety without the trailer and allowed the\n                                                 Inspected related policies and procedures.   information to post to the system.\nTrailer labels or control records containing\nrecord counts and/or control totals are                                                       In addition, inbound interface between DBMS\ngenerated for batch interface files and tested                                                and SRD-1 is not operating correctly when\nby DBMS (part of the program logic) to                                                        information is sent to DBMS. Specifically:\ndetermine that all records have been\nreceived.                                                                                     \xe2\x80\xa2   DBMS will accept data files from SRD-1\n                                                                                                  when trailer records are not included in the\nReconciliations are performed to determine                                                        transmission.\nthe completeness of transactions processed                                                    \xe2\x80\xa2   DBMS does not notify DFAS-Columbus\nand whether master files updated and                                                              management that trailer records were not\noutputs generated:                                                                                received.\n\n    \xe2\x80\xa2   Daily,\n    \xe2\x80\xa2   As-Required,\n    \xe2\x80\xa2   Monthly,\n    \xe2\x80\xa2   Using DDARS, and\n    \xe2\x80\xa2   Using Automated Trial Balance\n        Reconciliation.\n\n\n\n                                                                    67\n\x0cControl Activity:\nCP-2.2 Reconciliations show the completeness of data processed for the total cycle.\n\nControl Description                              Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\nTrailer labels or control records containing     Inquired how management reconciled              The interfaces to and from DBMS were not\nrecord counts and/or control totals are          transaction information.                        encrypted. Sensitive financial data was\ngenerated for batch interface files and tested                                                   transmitted over the interfaces in clear text via\nby DBMS (part of the program logic) to           Inspected the reports to re-perform a sample    unsecured FTP.\ndetermine that all records have been             of 45 reconciliations over the past six\nreceived.                                        months to determine procedures were             Although headers and trailers were required for\n                                                 followed.                                       all files being sent from interfacing systems,\nReconciliations are performed to determine                                                       DBMS accepted the files in its entirety without\nthe completeness of transactions processed,      Inquired on interface controls for major        the trailer and allowed the information to post.\nmaster files updated, and outputs generated:     interfacing system.\n                                                                                                 The inbound interface between DBMS and\n    \xe2\x80\xa2   Daily,                                   Inquired how DBMS reconciled the in-            SRD-1 was not operating correctly when\n    \xe2\x80\xa2   As-Required,                             bound and out-bound interfaces.                 information was sent to DBMS. Specifically,\n    \xe2\x80\xa2   Monthly,                                                                                 DBMS accepted data files from SRD-1 when\n    \xe2\x80\xa2   Using DDARS, and                         Obtained and inspected a sample of              trailer records were not included in the\n    \xe2\x80\xa2   Using Automated Trial Balance            reconciliation reports.                         transmission.\n        Reconciliation.\n                                                 Inquired if the customers of DFAS were          DBMS did not generate a violation report\n                                                 responsible for completeness of the interface   when trailer records were not received.\n                                                 transactions.\n\n\n\n\n                                                                    68\n\x0cAccuracy (AY)\n\nThe recording of valid and accurate data into an application system is essential to provide for an effective system that produces\nreliable results. Assessing the controls for valid and accurate data involves evaluating DFAS-Columbus\xe2\x80\x99 ability to effectively ensure:\n        \xe2\x80\xa2 Data entry design features contribute to data accuracy.\n        \xe2\x80\xa2 Data validation and editing are performed to identify erroneous data.\n        \xe2\x80\xa2 Erroneous data are captured, reported, investigated, and corrected.\n        \xe2\x80\xa2 Review of output reports helps maintain data accuracy and validity.\n\nControl Activity:\nAY-1.1 Source documents are designed to minimize errors.\n\nControl Description                         Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\nThe source document is well-designed to aid Inquired that source documents had been           No relevant exceptions were noted.\nthe preparer and facilitate data entry.     effectively designed to aid in the data entry\n                                            of transaction information.\n\n                                               Obtained and inspected blank source\n                                               documents to confirm that they aided the\n                                               preparer to record data correctly and in a\n                                               uniform format.\n\n                                               Inspected the master list of function codes.\n\n                                               Inquired if the function codes used for data\n                                               entry into DBMS were entered on source\n                                               documentation.\n\n                                               Inspected sample source documentation.\n\n\n                                                                  69\n\x0cControl Activity:\nAY-1.2 Pre-formatted computer terminal screens guide data entry.\n\nControl Description                              Tests of Operating Effectiveness             Results of Tests of Operating Effectiveness\nPre-formatted computer terminal screens are      Inquired and observed that screens were pre- No relevant exceptions were noted.\nutilized and allow prompting of data to be       formatted for data entry.\nentered, and editing of data as it is entered.\n                                                 Inquired and observed that screens prompted\n                                                 the user to enter data by field.\n\nControl Activity:\nAY-1.3 Key verification increases the accuracy of significant data fields.\n\nControl Description                              Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\nMandatory fields for edits and validation to     Inquired and observed that DBMS did not        No relevant exceptions were noted.\nensure key data is entered. Online editing is    require data fields to be re-enter to verify\nperformed to prevent erroneous data from         data accuracy before it was accepted.\nbeing keyed.\n                                                 Observed Accounting Technicians entering\nInvalid changes to key data elements are not     data to ensure all data fields were entered\npermitted.                                       before the transaction was processed.\n\n\n\n\n                                                                     70\n\x0cControl Activity:\nAY-2.1 Programmed validation and edit checks identify erroneous data.\n\nControl Description                           Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\nAll transactions are subject to validations   Inquired from DBMS programmers how              The means for which DBMS ensured that\nand edits, which include checks for:          DBMS ensured that \xe2\x80\x9ccorrect data type\xe2\x80\x9d was       correct data type (i.e. alpha or numeric) was\n                                              entered into the field (i.e. alpha, numeric).   entered into a data field could not be verified.\n       \xe2\x80\xa2   Accuracy \xe2\x80\x93 Negative\n           Unliquidated Obligation Edits,     Inquired what controls were in place to\n       \xe2\x80\xa2   Dependency,                        ensure completeness and accuracy of input\n       \xe2\x80\xa2   Existence,                         (reconciliation of control totals, 1-for-1\n       \xe2\x80\xa2   Mathematical accuracy,             checking, matching, sequence checking,\n       \xe2\x80\xa2   Check digit \xe2\x80\x93 Numeric not alpha,   duplicate processing, and programmed edit\n       \xe2\x80\xa2   Document reconciliation, and       checks).\n       \xe2\x80\xa2   Relationship or prior data\n           matching.                          Inquired if and how the following automated\n                                              edit checks were performed on the input\nValidation and editing are performed at the   data:\ncomputer terminal during data entry or are\nperformed as early as possible in the data    \xe2\x80\xa2   Reasonableness,\nflow and before updating master files.        \xe2\x80\xa2   Limit Check,\n                                              \xe2\x80\xa2   Range,\nAll applicable data fields are checked for    \xe2\x80\xa2   Existence,\nerrors before rejecting a transaction.        \xe2\x80\xa2   Format,\n                                              \xe2\x80\xa2   Check Digit,\n                                              \xe2\x80\xa2   Duplicate Check, and\n                                              \xe2\x80\xa2   Completeness Check.\n\n                                              Inquired whether the following edit checks\n                                              existed:\n\n                                                                 71\n\x0cControl Description                               Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\n\n                                                  \xe2\x80\xa2   Format checks on numeric data;\n                                                  \xe2\x80\xa2   Range checks on variable numeric field;\n                                                  \xe2\x80\xa2   Date tests on date fields;\n                                                  \xe2\x80\xa2   Existence checks on all key fields;\n                                                  \xe2\x80\xa2   Check digit on all identification keys;\n                                                  \xe2\x80\xa2   Tests for missing data;\n                                                  \xe2\x80\xa2   Tests for extraneous data;\n                                                  \xe2\x80\xa2   Tests for record mismatches; and\n                                                  \xe2\x80\xa2   Tests for out of sequence conditions.\n\n                                                  Inspected each edit check being performed\n                                                  in the system.\n\n                                                  Inquired how data received from interfacing\n                                                  applications were validated for\n                                                  completeness and accuracy.\n\n                                                  Inspected interface transactions files for edit\n                                                  checks.\n\nControl Activity:\nAY-2.2 Tests are made of critical calculations.\n\nControl Description                               Tests of Operating Effectiveness               Results of Tests of Operating Effectiveness\nProgram code and criteria for tests of critical   Inquired on DFAS-Columbus\xe2\x80\x99                     No relevant exceptions were noted.\ncalculations are protected from unauthorized      responsibilities for change control, including\nmodifications. All calculations are tested in     the following:\nthe Change Control Environment.\n                                                                      72\n\x0cControl Description                        Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\n                                            \xe2\x80\xa2 Application modifications (enterprise\nManual controls depend on Accounting           and business applications);\nOperations verifying the daily & monthly    \xe2\x80\xa2 Testing and approving software\ndata.                                          changes;\n                                            \xe2\x80\xa2 Quality assurance or quality control;\n                                            \xe2\x80\xa2 Controlling software libraries; and\n                                            \xe2\x80\xa2 Migrating changes to production.\n\n                                           Inspected DBMS configuration management\n                                           procedures.\n\n                                           Inquired whether each level of testing had\n                                           management approval before proceeding to\n                                           the next level of testing.\n\n                                           Inquired how management ensured that all\n                                           transactions were complete once they were\n                                           entered into DBMS. Obtained and inspected\n                                           related policies and procedures. Obtained\n                                           and inspected any output or reports.\n\n                                           Inquired how management reconciled\n                                           transactions information. Obtained and\n                                           inspected applicable output or reports.\n\n                                           Inspected the reports to re-perform a sample\n                                           of reconciliations over the past six months to\n                                           determine procedures were followed.\n\n\n                                                              73\n\x0cControl Description                         Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\n                                            Inquired on the fields required for any\n                                            transaction to be processed to the next level.\n\n                                            Inquired whether DBMS had built-in logic\n                                            to allow for \xe2\x80\x9cauto-complete\xe2\x80\x9d.\n\n                                            Inquired on the change control process for\n                                            updating an \xe2\x80\x9cauto-complete\xe2\x80\x9d list/menu.\n\nControl Activity:\nAY-2.3 Overriding or bypassing data validation and editing is restricted.\n\nControl Description                         Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\nOverriding and bypassing data validation    Inquired if users were able to override          No relevant exceptions were noted.\nand editing are restricted.                 information when entering transactions and\n                                            who had this capability.\n\n                                            Inquired if DBMS produced a report listing\n                                            for:\n\n                                            \xe2\x80\xa2   Transactions and data elements that were\n                                                overridden; and\n                                            \xe2\x80\xa2   User IDs with the ability to override\n                                                transactions and data elements.\n\n\n\n\n                                                               74\n\x0cControl Activity:\nAY-3.1 Rejected transactions are controlled with an automated error suspense file.\n\nControl Description                           Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\nInterface-rejected data are automatically     Inquired if audit trails tracking transactions   DFAS-Columbus and SMC-Ogden did not\nwritten on an automated violation file and    and user activity were maintained.               conduct periodic reviews of the DBMS audit\nheld from processing until corrected.         Inspected the most recent audit trail.           trail for unusual activity.\n\nEach erroneous transaction is annotated       Inspected policies and procedures for            DFAS-Columbus did not have policies and\nwith:                                         performing periodic review of the audit trail    procedures in place for the review,\n                                              for unusual activity. Inspected the most         investigation, and correction of rejected\n\xe2\x80\xa2   Error messages indicating the type of     recent audit trail review.                       transactions located within the violation file.\n    data error;                                                                                As a compensating control, there were\n\xe2\x80\xa2   Date and time the transaction was         Inquired whether the contents of audit trails    overviews and an appendix covering error\n    processed and the error identified; and   were protected against unauthorized access,      codes and clearing violations in AAS and ABS\n\xe2\x80\xa2   The identity of the user who originated   modification, and deletion.                      that is distributed to all associates who enroll\n    the transaction.                                                                           and complete training classes.\n                                              Inquired how long audit logs were retained.\nThe suspense file is purged of transactions                                                    The identity of the user or original rejected\nas they are corrected.                        Inquired if transactions that were rejected      transaction was not identified in the violation\n                                              were sent to a suspense file and held until      file. As a compensating control, the identity of\n                                              they were investigated and corrected.            the user or originated transaction was located\n                                              Inspected the most recent suspense file.         on the block ticket.\n\n                                              Inquired who reviewed the suspense file and      Unable to verify that all sample rejected\n                                              investigated and cleared the items. Obtained     transactions were corrected since all\n                                              and inspected policies and procedures for        documentation requested from the violation\n                                              reviewing, investigating and correcting          file sample was not provided.\n                                              items in the suspense file.\n\n\n                                                                  75\n\x0cControl Description                               Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\n                                                  Inspected items in the suspense file from the\n                                                  six months and reviewed how they were\n                                                  resolved.\n\nControl Activity:\nAY-3.2 Erroneous data are reported back to the user department for investigation and correction.\n\nControl Description                               Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\nAccounting Operations is responsible for          Inquired how rejected transactions were         No relevant exceptions were noted.\nmonitoring and correcting rejected                reported.\ntransactions. A report is generated on a\ndaily basis that identifies all open violations   Inquired who corrected the rejected\nfor management review.                            transactions.\n\nErrors are corrected by the Accounting            Inquired whether supervisors reviewed\nTechnician assigned to support that               corrected transactions.\ncustomer.\n                                                  Inspected supporting documentation for a\nFunction Codes control access to the              sample of rejected and corrected\nsuspense file.                                    transactions over the last six months.\n\n\n\n\n                                                                     76\n\x0cControl Activity:\nAY-4.1 Control output production and distribution\n\nControl Description                            Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\nThe DBMS System Division is                    Inquired which division/department was      No relevant exceptions were noted.\nresponsibility for ensuring that all outputs   responsible for ensuring that all outputs\nare produced and distributed according to      (reports) were produced and distributed\ncustomer requirements.                         according to the requirements of DBMS and\n                                               user management.\nThe data processing control group, or some\nalternative:                                Inquired whether the data processing control\n                                            group maintained a schedule, by application,\n\xe2\x80\xa2 Has a schedule by application that shows that showed:\n    when outputs should be completed and\n    passed to OLRV.                          \xe2\x80\xa2 Output products produced;\n\xe2\x80\xa2 Reconciles control information to          \xe2\x80\xa2 When they should have been\n    determine completeness of processing.       completed;\n                                             \xe2\x80\xa2 Who the recipients were;\nThe Mechanization of Reports Distribution    \xe2\x80\xa2 The copies needed; and\nSystem automatically checks the output       \xe2\x80\xa2 When they were to be distributed.\nmessage before displaying, writing, or\nprinting to make sure the output has not    Inquired if a schedule had been established\nreached the wrong terminal device.          for month-end, quarter-end, and year-end\n                                            report processing. Inspected a copy of this\nOutput from reruns is subjected to the same schedule.\nquality review as the original output.\n\n\n\n\n                                                                77\n\x0cControl Activity:\nAY-4.2 Reports showing the results of processing are reviewed by users.\n\nControl Description                           Tests of Operating Effectiveness              Results of Tests of Operating Effectiveness\nOutput reports for data accuracy, validity,   Obtained and inspected examples of the        Error, transaction, and master record change\nand completeness are reviewed by multiple     reports produced by DBMS. Compared the        reports from the OLRV did not include an\nend users (Management, Accountants,           reports to information in DBMS for            end-of-report page.\nTechnicians, etc.) based on the nature of     completeness.\ndata being reviewed, including:\n                                              Inquired that each report had a title page\n\xe2\x80\xa2   Error reports,                            with the name, time and date of production,\n\xe2\x80\xa2   Transaction reports,                      and had an end-of-report page. Observed\n\xe2\x80\xa2   Master record change reports, and         and inspected these reports.\n\xe2\x80\xa2   Control totals balance reports.\n                                              Inquire if a log was maintained for all\nPrinted reports contain a title page with     reports produced.\nreport, name, time and date of production,\nthe processing period cover; and have an      Inspected the log for printed reports.\n\xe2\x80\x9cend-of-report\xe2\x80\x9d message.\n                                              Inquired that the contents of reports were\n                                              protected against unauthorized access,\n                                              modification, and deletion.\n\n                                              Inquired if any reports were sent to\n                                              supervisors to approve prior to issuance.\n\n                                              Inspected a sample of reports that were\n                                              approved.\n\n                                              Inquired if a log of output errors was\n                                                                 78\n\x0cControl Description                              Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\n                                                 maintained. Inspected the log of output\n                                                 errors.\n\n                                                 Inquired if users reviewed reports for data\n                                                 accuracy, validity, and completeness.\n\nIntegrity (IN)\n\nControls provide reasonable assurance that production processing uses the current version of software and data, that programs include\nroutines for checking internal file header labels before processing, and that concurrent updates of files are not allowed.\n\nControl Activity:\nIN-1 Integrity controls over processing and data files ensure the current version of production is used during processing.\n\nControl Description                              Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\nProcedures ensure that the current versions      Inspected policies and procedures that          No relevant exceptions were noted.\nof production programs and data files are        ensure that the current version of production\nused during processing by completing             programs and data files was used during\nRelease Check Lists.                             processing.\n\nPrograms include routines for checking           Inquired that DBMS included routines to\ninternal file header labels before processing.   verify that the proper version of the\n                                                 computer file was used during processing.\nThe application protects against concurrent\nfile updates.                                    Inquired that DBMS included routines for\n                                                 checking internal file header labels before\n                                                 processing.\n\n                                                 Inquired that DBMS protected against\n\n                                                                    79\n\x0cControl Description   Tests of Operating Effectiveness             Results of Tests of Operating Effectiveness\n                      current file updates.\n\n                      Inquired that DBMS used transaction roll-\n                      back and transaction journaling.\n\n                      Inquired that DBMS management\n                      maintained a current baseline inventory of\n                      all software required to support system\n                      operations.\n\n\n\n\n                                        80\n\x0cSection IV: Supplemental Information Provided by the Defense\n Finance and Accounting Service and the Defense Information\n                      Systems Agency\n\n\n\n\n                             81\n\x0c\x0cIV. Supplemental Information Provided by the Defense\n    Finance and Accounting Service and the Defense\n    Information Systems Agency\nContinuity of Operations Planning\nBased on the SLA between DECC-Columbus and DFAS-Columbus Accounting Services,\nDECC-Columbus agreed to provide COOP services to DFAS-Columbus. Specifically,\nDECC-Columbus agreed to:\n\n    \xe2\x80\xa2 Support and maintain back-up tapes.\n    \xe2\x80\xa2 Ensure off-site storage back-ups are performed weekly. These procedures are in\n      place to validate the integrity of back-up tapes prior to being sent off-site.\n    \xe2\x80\xa2 Perform off-site storage back-ups as required by DFAS-Columbus, which has\n      classified DBMS as \xe2\x80\x98critical\xe2\x80\x99 and is to be recovered immediately at an alternate\n      processing site.\n\nThe COOP Assessment in the SSAA for DBMS that was dated January 1, 2003,\ncontained the following table summarizing DBMS\xe2\x80\x99 contingency readiness:\n\nCONTINGENCY PLAN EVALUATION                                                    YES NO N/A\nIs there a contingency plan in existence for this system?                      X\nDoes the contingence plan, at a minimum, address the following:\nThe actions required minimizing the impact of a fire, flood, civil disorder,\n                                                                               X\nnatural disaster, or bomb threat\nBackup procedures to conduct essential IS operational tasks after a\n                                                                               X\ndisruption to the primary IS facility\nRecovery procedures to permit rapid restoration of the IS facility\n                                                                               X\nfollowing physical destruction, major damage or loss of data\nDoes this contingency plan provide for the following:\nStorage of system back-up data in off site storage or in the central\n                                                                               X\ncomputer facility in metal or other fire retardant cabinets\nDuplicate system tapes, startup tapes/decks, database save tapes, and\napplication program tapes unique to the site to be maintained in a secure      X\nlocation removed from the central computer facility\nIdentification of an alternate site containing compatible equipment            X\nDestruction or safeguarding of classified material in the central computer\n                                                                               X\nfacility in the event that the facility must be evacuated\nThe contingency plan has been tested during the past year                      X\nThe ISSO maintains a copy of the contingency plan                              X\nThe contingency plan contains criteria to state when it should be\n                                                                               X\nimplemented and who can make that decision\n\n\n                                                 83\n\x0c\x0cAcronyms and Abbreviations\n AAS            Appropriation Accounting Subsystem\n ABS            Automated Billing System\n APF            Authorized Program Facility\n BOSS           Base Operations Support System\n C&A            Certification and Accreditation\n CAC            Common Access Card\n CDA            Change Design Activities\n CICS           Customer Information Control System\n DBA            Database Administrator\n DBMS           Defense Business Management System\n DCPS           Defense Civilian Pay System\n DDARS          Distributed Data Archive and Retrieval System\n DD Form 2875   System Authorization Access Request\n DECC           Defense Enterprise Computing Center\n DFAS           Defense Finance and Accounting Service\n DISA           Defense Information Systems Agency\n DITSCAP        Defense Information Technology Security Certification and\n                Accreditation Process\n DoD            Department of Defense\n DoDI           Department of Defense Instruction\n FTP            File Transfer Protocol\n ID             Identification\n IT             Information Technology\n ISSO           Information System Security Officer\n LACT           Liaison Activity Code Table\n LPAR           Logical Partition\n MAC            Mission Assurance Category\n OIG            Office of the Inspector General\n OLRV           Online Report Viewer\n RACF           Remote Access Control Facility\n RAS            Resource Administration Subsystem\n SDLC           System Development Life Cycle\n SLA            Service Level Agreement\n SMC            Security Management Center\n SRD-1          Standard Financial System Redesign Subsystem\n SSAA           System Security Authorization Agreement\n STIG           Security Technical Implementation Guide\n TASO           Terminal Area Security Officer\n TSO            Time Sharing Option\n z/OS 1.4       z/OS, Release 4, Version 1.4\n\n\n\n\n                                    85\n\x0c\x0cReport Distribution\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nDirector, Program Analysis and Evaluation\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nCombatant Command\nInspector General, U.S. Joint Forces Command\n\nOther Defense Organizations\nDirector, Defense Finance and Accounting Service \xe2\x80\x93 Accounting Services\nDirector, Security Management Center - Ogden\n\nNon-Defense Federal Organizations\nGovernment Accountability Office\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and Ranking Minority\nMember\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n   on Government Reform\n\n\n\n\n                                          87\n\x0c House Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n and the Census, Committee on Government Reform\n\n\n\n\n                                          88\n\x0cTeam Members\nThe Defense Financial Auditing Service, Department of Defense Office of the\nInspector General produced this report.\n\nPaul J. Granetto\nPatricia A. Marsh\nAddie M. Beima\nMichael Perkins\nKenneth H. Stavenjord\nDonna A. Roberts\nLTC Shurman Vines\nCindy Gladden\nAhn Tran\nTowanda L. Stewart\nAnissa M. Nash\nPatricia A. Joyner\nJ. Shawn Sparks\nBrian A. Royer\n\x0c'